Impact of ransomware on healthcare: what’s confirmed and what’s just speculative?
What impact do ransomware attacks have on delivering healthcare services to patients? Some claims have been made, but are the claims supported by any objective data, or are people just guessing what the impact has been or could be?
In this week’s news, a hospital in Illinois announced it will be temporarily closing due to a combination of factors and events. 25News reports:
The letter says the hospital’s current provider of physicians terminated its contract and St. Margaret’s can’t find or financially support a new emergency room provider.
In addition, the letter said there’s not enough staff to operate the hospital in Peru and St. Margaret Health’s other hospital a few miles away in Spring Valley.
The letter blames COVID, a cyber-attack preventing timely billing, staffing shortages, and other rising costs.
So how do we assess the impact of the ransomware attack in this type of case? It is undoubtedly challenging.
Then, too, consider a report by Ponemon, who surveyed 579 cybersecurity professionals. A key part of their findings is presented below:
According to their report, more than 1 in 3 respondents said ransomware resulted in increased complications from medical procedures, and more than 1 in 5 respondents responded that ransomware attacks adversely impacted patient mortality rates (respondents could identify more than one type of impact).
But on what do the respondents base their reports?
It is objectively easier to calculate the number of days routine testing or care may have been delayed in response to an attack. It is objectively easier to calculate the number of patients whose ambulances were diverted to other facilities, and how much time that potentially added to delay in care — although even then, when one remembers that ambulances are equipped and are providing care while the patient is in the ambulance, then is care even really delayed in many cases?
But if you are going to claim that a ransomware attack led to increased mortality, then what happened as a result of the attack that was responsible? Was access to the patient’s medical history impacted? Was delivery of needed medications delayed due to the attack? How do you connect the dots between the attack and the increased mortality? Surveying professionals and asking them for their impressions differs from collecting objective data and analyzing it.
Years ago, DataBreaches repeatedly criticized surveys that predicted a significant percentage of patients would leave their doctors or facilities (“churn”) if there had been a data breach involving their personal and health data. DataBreaches noted at the time that what people may SAY they will do and what they actually do are often significantly different — and that’s particularly true when a hospital may be the only one in an area, or there are no other specialists in reasonable distance. These days, because breaches are so common, you seldom hear about people leaving or changing doctors or hospitals because of a data breach. It happens, but nowhere near the rates surveys were claiming or predicting years ago.
Similarly, a Ponemon study years ago about medical identity theft created certain impressions about its rate and occurrence unless you dug deeper into their methodology and discovered that a lot of what they coded as medical identity theft was patients knowingly sharing their health insurance information with family members or friends. When asked about that, Ponemon informed this blogger that they considered that medical identity theft because that is how law enforcement viewed it.
And now here we are, again reading claims about the impact of crimes on healthcare. And again, DataBreaches is asking how these claims are being substantiated.
Do ransomware attacks have an impact on patient care? There’s certainly the potential for harmful impact in many situations, but we shouldn’t be guessing or assuming.