How much does a ransomware or data breach attack affect hospital services? A recent study determined that hospitals who had been hit by a cyber attack witnessed increased death rates among patients with heart issues. Cyber attacks and the remediations that follow frequently increase the amount of time a patient waits to be treated or to receive test results.
Researchers at Vanderbilt University’s Owen Graduate School of Management examined more than 3,000 Medicare-certified hospitals in the United States. Roughly 300 of these hospitals had experienced ransomware and other attacks between 2012 and 2016. The researchers not only studied what happened to patients during the cyber attacks, but how patients were affected by any remedial measures the hospitals applied to avoid future attacks.
Hospitals typically try to implement better security measures after a cyber attack. These security measures may include tools like multi-factor authentication or simply stronger password requirements. Such measures typically have little impact on everyday people, but they can be the difference between life and death in a hospital. The researchers remarked, “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.” These extra cybersecurity efforts may delay or interrupt patient care.
Patients who were suspected of having a heart attack waited an extra 2.7 minutes to receive an electrocardiogram in hospitals that applied stronger cybersecurity practices after an attack. This delay continued to hover around 2 minutes even several years after the cyber attack. There are also appeared to be an additional 36 deaths per 10,000 heart attack patients annually in these same hospitals.
Unfortunately this particular study was rather limited. They were unable to study the kinds of security measures that were put in place after an attack. The hospitals in this study did not want to provide hackers with any more information about their cybersecurity practices or allow competing hospitals to swipe their patients.
Another recent study examined the vulnerability of MRI and CT machines. Researchers designed malware that was able to add or take away fake cancerous nodules from CT and MRI scans. Many radiologists were fooled by the images.
What can be done to reduce mortality rates? Leo Scanlon, former Chief Information Security Officer (CISO) of the U.S. Department of Health and Human Services (HHS), insisted, “I believe that nothing less than a congressional investigation will give the subject the attention it deserves.” It may be time to evaluate what security measures hospitals have in the first place and whether fully computerized systems are always the most efficient way of providing health services.