Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.
Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.
As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.
The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.
“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”
Leo Scanlon, former deputy chief information security officer at the HHS, said the findings in this report practically beg for a similar study to be done in the United Kingdom, whose healthcare system was particularly disrupted by the Wannacry virus, a global contagion in May 2017 that spread through a Microsoft Windows vulnerability prevalent in older healthcare systems.
“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”
A post-mortem on the impact of WannaCry found the outbreak cost U.K. hospitals almost $100 million pounds and caused significant disruption to patient care, such as the cancellation of some 19,000 appointments — including operations — and the disruption of IT systems for at least a third of all U.K. National Health Service (NHS) hospitals and eight percent of general practitioners. In several cases, hospitals in the U.K. were forced to divert emergency room visitors to other hospitals.
But what isn’t yet known is how Wannacry affected mortality rates among heart attack and stroke patients whose ambulances were diverted to other hospitals because of IT system outages related to the malware. Or how many hospitals and practices experienced delays in getting test results back needed to make critical healthcare decisions.
Scanlon said although he’s asked around quite a bit over the years to see if any researchers have taken up the challenge of finding out, and that so far he hasn’t found anyone doing that analysis.
“A colleague who is familiar with large scale healthcare data sets told me that unless you are associated with a research institution, it would be almost impossible to pry that kind of data out of the institutions that have it,” Scanlon said. “The problem is this data is hard to come by — nobody likes to admit that death can be attributable to a non-natural cause like this — and is otherwise considered sensitive at a very high and proprietary level by the institutions that have the facts.”
A study published in the April 2017 edition of The New England Journal of Medicine would seem to suggest applying the approach used by the Vanderbilt researchers to measuring patient outcomes at U.K. hospitals in the wake of Wannacry might be worth carrying out.
In the NEJM study, morbidity and mortality data was used to show that there is a measurable impact when ambulances and emergency response teams are removed from normal service and redirected to standby during public events like marathons and other potential targets of terrorism.
The study found that “medicare beneficiaries who were admitted to marathon-affected hospitals with acute myocardial infarction or cardiac arrest on marathon dates had longer ambulance transport times before noon (4.4 minutes longer) and higher 30-day mortality than beneficiaries who were hospitalized on nonmarathon dates.”
“Several colleagues and I are convinced that the same can be shown about WannaCry, on the large scale, and also at the small scale when ransomware attacks impact a regional hospital,” Scanlon said.
In November 2018, I was honored to give the keynote at a conference held by the Health Information Sharing and Analysis Center (H-ISAC), a non-profit that promotes the sharing of cyber threat information and best practices in the healthcare sector.
In the weeks leading up to that speech, I interviewed more than a dozen experts in healthcare security to find out what was top of mind for these folks. Incredibly, one response I heard from multiple healthcare industry experts was that there is currently no data available to support the finding of a negative patient outcome as a result of a cybersecurity vulnerability or attack.
As I kept talking to experts, it occurred to me that if smart people in this industry could say something like that with a straight face, it was probably because not a lot of people were looking too hard for evidence to the contrary.
With this Vanderbilt study, that’s demonstrably no longer true.
A copy of the new study is available here (PDF).
We need true defense to hacking. Requiring technology companies to be liable for their flawed software / hardware will go a long way. We can all the CIA for a lot of this crap, since their tools were leaked out into the wild. Probably on purpose. Need real oversight of intelligence community as well. And lastly, if not most importantly, we need a death penalty for hackers, this will out an end to a lot of these sick aholes who spread these worms and viruse.
Many people here seem to be under the impression that poor cybersecurity practices mean the hospital itself must be shoddy. That is, the increased mortality rate is caused not by an attack but by the facility being rundown in terms of medical proficiency and equipment.
It’s not necessarily the case. Hospitals aren’t often run by security experts. And for laypeople, it’s sometimes hard to grasp the idea of how dangerous their lacking cybersecurity is for their patients before an attack actually happens and they can see it first-hand.
So, even if they have spare funding to spend on security, I suspect few of them would. They may simply not see any benefit in it: despite cyber-awareness is rising, cybersecurity is still hard to market in unrelated fields.
Does this situation need to change? Obviously.
Does it mean that all the affected medical facilities are mismanaged on every level and would have had the same mortality rate even without the attacks? Not really.
I agree with Dean Chester. Cybersecurity in organizations isn’t taken serious enough even after hearing about big companies like Equifax or hospitals like in the UK being breached. The threat is very much real but organizations don’t seem to be in a huge rush to update or even implement some sort of security to their networks when in reality they should give more attention to it because if and when they are attacked, it will cost them millions, or in the case of hospitals, lives, and they will be left wondering what they could’ve done different.
Thank you for sharing this precious info with us. As a practicing author, I can say that I was trying to
include some facts and sparking ideas within my writing clinic .
I believe it’s imperative to spice your writing in the event you wish to grab the viewers’ attention.
But you did great, thanks