07
Nov 19

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks

Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

Leo Scanlon, former deputy chief information security officer at the HHS, said the findings in this report practically beg for a similar study to be done in the United Kingdom, whose healthcare system was particularly disrupted by the Wannacry virus, a global contagion in May 2017 that spread through a Microsoft Windows vulnerability prevalent in older healthcare systems.

“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”

A post-mortem on the impact of WannaCry found the outbreak cost U.K. hospitals almost $100 million pounds and caused significant disruption to patient care, such as the cancellation of some 19,000 appointments — including operations — and the disruption of IT systems for at least a third of all U.K. National Health Service (NHS) hospitals and eight percent of general practitioners. In several cases, hospitals in the U.K. were forced to divert emergency room visitors to other hospitals.

But what isn’t yet known is how Wannacry affected mortality rates among heart attack and stroke patients whose ambulances were diverted to other hospitals because of IT system outages related to the malware. Or how many hospitals and practices experienced delays in getting test results back needed to make critical healthcare decisions.

Scanlon said although he’s asked around quite a bit over the years to see if any researchers have taken up the challenge of finding out, and that so far he hasn’t found anyone doing that analysis.

“A colleague who is familiar with large scale healthcare data sets told me that unless you are associated with a research institution, it would be almost impossible to pry that kind of data out of the institutions that have it,” Scanlon said. “The problem is this data is hard to come by — nobody likes to admit that death can be attributable to a non-natural cause like this — and is otherwise considered sensitive at a very high and proprietary level by the institutions that have the facts.”

A study published in the April 2017 edition of The New England Journal of Medicine would seem to suggest applying the approach used by the Vanderbilt researchers to measuring patient outcomes at U.K. hospitals in the wake of Wannacry might be worth carrying out.

In the NEJM study, morbidity and mortality data was used to show that there is a measurable impact when ambulances and emergency response teams are removed from normal service and redirected to standby during public events like marathons and other potential targets of terrorism.

The study found that “medicare beneficiaries who were admitted to marathon-affected hospitals with acute myocardial infarction or cardiac arrest on marathon dates had longer ambulance transport times before noon (4.4 minutes longer) and higher 30-day mortality than beneficiaries who were hospitalized on nonmarathon dates.”

“Several colleagues and I are convinced that the same can be shown about WannaCry, on the large scale, and also at the small scale when ransomware attacks impact a regional hospital,” Scanlon said.

In November 2018, I was honored to give the keynote at a conference held by the Health Information Sharing and Analysis Center (H-ISAC), a non-profit that promotes the sharing of cyber threat information and best practices in the healthcare sector.

In the weeks leading up to that speech, I interviewed more than a dozen experts in healthcare security to find out what was top of mind for these folks. Incredibly, one response I heard from multiple healthcare industry experts was that there is currently no data available to support the finding of a negative patient outcome as a result of a cybersecurity vulnerability or attack.

As I kept talking to experts, it occurred to me that if smart people in this industry could say something like that with a straight face, it was probably because not a lot of people were looking too hard for evidence to the contrary.

With this Vanderbilt study, that’s demonstrably no longer true.

A copy of the new study is available here (PDF).

Tags: , , , , , , ,

53 comments

  1. First!

    Ty Brian

  2. Andrew Rossetti

    Wow. That is truly depressing and reinforces the need for sound security practices at hospitals, physicians’ offices, labs…really any vital service.

    • Not only that but also a serious need for transparency. Of course institutions that hold this data are not willing to share or promote analysis on patient outcomes related to security breaches – they don’t want to damage their brand. It’s terrible and reveals a deep need to overhaul the industry. Transparency should be the #1 goal with institutions with this data.

  3. The Sunshine State

    Hospital’s are on “life support” when it comes to cyber-security

    • Starved of basic funding, most hospitals tend toward a lagging response in cybersecurity with priorities geared for medical equipment and personnel, not back-office functions — even in the for-profit business model.

      • “Starved of basic funding”? Not here in upstate (Rochester),NY.
        The hospitals here(especially the 2 big ones) keep building.
        They must have a lot of money at their disposal! Perhaps their security is top notch, IDK. I’m just an amateur IT geek.

        • Hospitals building and hospitals adequately funding IT security are two different things. Many of the back room employees are running off systems that are beyond antiquated. My sister left a large hospital organization a couple years ago and her desktop was still running Windows 9x because the hospital had refused to upgrade its custom software to support an NT-based OS, nor were they interested in upgrading systems to the point where the Windows 9x component could be virtualized due to cost of the new systems. The executives, of course, got fat bonuses every year and lavish salaries. Want to guess why she left?

          • My point was, the money is there IF the hospital big shots wanted to use it for security.
            No surprise about the salaries & bonuses. Of course they are also “non profit”.

            • Hospital administrators cannot choose to spend funds which are donated for capital construction of new “named” additions on other types of capital equipment that will be used in an existing facility, or for salaries, operations and maintenance — the governing Board may not re-allocate funds provided by donors for an explicit purpose to some other purpose, either.

              That’s the legal reality, regardless of how you might feel with regard to the priority needs of actual patients or staff — it’s not like they have access to some “pot o’ gold” (whether spun from straw or not) to dispense in accordance to administrative whim.

            • Don’t discount the possibility that facility expansions can be paid for by dedicated grants, where the money can’t be diverted to general operating expenses. Wealthy donors want wings named after them, not firewalls.

      • It’s not just that. In private practices, doctors run the show. People are there to see the doctors, the doctors generate the revenue, so whatever hare-brained, insecure idea any given doctor gets about the way things should work gets implemented. If you won’t do it, they’ll can your ass and find a tech who will.

        Seriously, spend some time talking to tech workers in the healthcare industry. Every single one of them will have multiple stories about some horrible idea or another that they had to implement at a doctor’s behest.

  4. We are in the midst of a paradigm shift in cyber-security and awareness. As those in the generations before and during the internet revolution slowly move on from industry, they are replaced by more and more cyber-security aware individuals. Over time, we will become more secure. I believe we are the tip of the spear and reading articles and studies like this show it. “The more you know…” continues to be the cry of those of us in the information security industry. We can’t scream loud enough for those in power to take serious action, but soon those in power will not be. Until then, sadly, perhaps only a ridiculously cataclysmic cyber event will truly awaken societies. Otherwise we slowly crawl toward actual cyber security.

  5. seems like NOISE, not signal. study seems to be an ‘overfit’. (i.e. when the data is limited and noisy and when your understanding of the relationships is poor). read The Signal and the Noise by nate silver. however, a simple deduction can tell us if a hospital is not operational (ransomware or otherwise), people can/do die.

  6. I am very interested in knowing how they accurately tracked the administration of an electrocardiogram study in their EMR. Set aside for a moment the likelihood that the EMR probably doesn’t have a discrete field for this information. What did they compare it to in order to determine that it was varying from prior studies? Admission time? Triage time? Order time? Did these times get populated automatically or were they entered later when the actual emergency was past and they had time for the “paperwork”?

  7. 2.7 additional minutes for an EKG? That’s (perhaps literally) a lifetime.

    If I’m reading this article correctly, the issue is not simply that a major information security breach causes all kinds of chaos that impacts patient care at the time, but that the security measures implemented thereafter may also adversely affect patient care.

    This is a critical observation that is probably more problematic for the health industry than any other.

    As a cyber security professional, I am constantly balancing security against convenience: what it is right to allow vs. what users want. I want to see good security practices by personnel, well-guarded data and appropriately defended IT systems. But where a robust multi-factor authentication system might make sense for a banking platform, that same solution could be a terrible idea in a health system that supports the emergency room.

    Imagine the doctor locking out her access or the physician’s assistant not being able to find his two-factor code in the heat of a medical emergency? There is a need to think very carefully about what appropriate security looks like, a particularly tough problem when existing technology is old and budgets—both for new solutions and seasoned security experts—are inadequate.

    • Gavin,

      Thank you for that perspective.
      I have a friend who is a nurse in an environment where the Patient to Nurse ratio is required to be 1:1. I can’t imagine them having to contend with multifactor authentication in that kind of environment. This would appear to be a situation where some sort of short-range device would be helpful.

    • >>If I’m reading this article correctly, the issue is not simply that a major information security breach causes all kinds of chaos that impacts patient care at the time, but that the security measures implemented thereafter may also adversely affect patient care.

      That was exactly how I read it.

      This means that the conclusion that is likely to be reached is that more security is disadvantageous to patient care.

      They’re not likely to conclude that bolting on security after-the-fact rather than having it more holistically integrated, is the biggest contributor to poor productivity and execution.

      These findings are just as likely to hurt the cause of security in hospitals, as to help them.

    • The cure may be worse than the disease.

      It may not be that bad, but we can’t ignore that the cure has impacts. If remediation efforts do not balance the needs to protect with the needs to provide timely care, the security professionals and freaked out executives will be doing unnecessary harm.

      Phishing training, backup and restore, and business continuity planning are primary controls to address ransomware that should not have patient care impacts (outside of the actual breach remediation).

      If this story is about only about linking locked computers to increased mortality rates during the time computers are locked and care services are impacted, this is not that interesting.

      • Your second paragraph is being shouted by us all from mountaintops while the masses walk by with all of the engagement that subway patrons give buskers. We all know what is needed, but no one knows how to make it happen.

    • yeah, kindergarten level knowledge….policy less lax, thus burdensome. Not news at all, but good for college kids to practice on

    • I am amazed at your comment. The reason is you are the first comment that displays the reading comprehension skills necessary to even make one. The point is that care is potentially, affected by procedures put in place after a security breach. I wonder what those procedures could be?

    • Absolutely correct observation Gavin. I’m a security practitioner in the healthcare space with a focus on the builder side of the security equation.

      Information needs to be rapidly available but also secure. How do you balance the two?

      When you apply remediation efforts that work for banks to healthcare, sadly the end result is you kill patients. Layer on top of this a lot of really old systems in your typical hospital that are challenging to update (for legitimate reasons… too many to list here).

      It’s not easy and probably one of the toughest problems in security today. It’s easy to slap a security box inline in paranoid block everything mode, force staff to use MFA, and end of life that box used in a critical workflow, but now you have bigger problems.

      There is no easy answer here. The security guy in me wants to apply my usual bag of tricks but then I realize that in order to be successful, we as a security community need to innovate in this space.

  8. Great coverage of cybersecurity news always. At least the study didn’t find that the breaches led to an increased rate of intrusion of malware into the patient’s pacemakers… yet.

  9. I submit that any digital attack on a medical facility, emergency facility (i.e., fire and police and ambulance services) should qualify for a death penalty or life imprisonment.

    Such digital attacks are life threatening and should be treated as attempted murder. If a fatality has resulted, the attacker should be convicted of murder and prosicuted accordingly.

  10. Hospitals with poor patient care also have poor cybersecurity. That’s how I read the study. I’ll add poor facilities maintenance, poor facilities cleanliness, and poor morale.

    It works the same for any business. A well run business is well run for all aspects of the business. A poorly run business is poor in all aspects of the business. Has anyone seen an exception to this?

  11. What’s the ICD-10-CM code for “acute myocardial infarction due to computer system failure”?

  12. I hope this gets the other hospitals to sit up and take notice. On the other side of things, I wonder if this means that the ransomware operators could now be charged with murder if they’re ever found.

  13. It’s not just the hospital, but, the programs that are incompatible with operating system updates. Have noticed, that multiple hospitals in my area, are operating in win xp pro. Why? The equipment is incompatible with win10, is that the fault of the equipment or the hospital? No body has updated the embed of the machines, is that the hospitals fault? Oh, buy a new machine each time ms updates? Be realistic. A new cat machine each time the system updates for a “new” os? Or a new crash cart for each time ms puts out a new patch? That’s be realistic in a for profit atmosphere. It won’t fly. Or, you shut down parts of a hospital, after ms decides that you need a better os. That’s not realistic either, but it happens daily. One of the updates slips by the it, and Borks a perfectly good cat machine, just because ms has a better idea on what the os should be. Networks should be backward compatible, just as os’es should be. Sometimes an old machine that works should not be sacrificed to the newer is better gods.

    • Some of what you say is true, but it is also true that:

      1. A lot of what passes for software development in manufacturing and healthcare is atrocious, with applications that can’t manage any upgrading at all.

      2. Old software is going to be inherently more vulnerable as time passes.

      3. Sure, a hospital doesn’t need to be upgrading every single time Microsoft releases a new OS, but you do realize that there are LOTS of upgrades between XP and Windows 10, right? We’re talking 18 years worth of upgrade.

      4. The vendors in these industries need to be held to a standard of maintaining over time, even if at a slower cadence (like 5 years)

      5. Hospitals can’t take the view that they can’t afford to upgrade all the time, yet want to avail themselves of new technology all the time (IoT, etc), and then connect everything to a network that is Internet accessible.

  14. Considering WannaCry was enabled by the EternalBlue breach at the US National Security Agency, I wonder: should the US Government set up and finance a compensation fund for people injured by these ransomware attacks?

    • No. Because even if the US didn’t find the vulnerability and leak it, someone else would have.

      Vulnerabilities will be found eventually.

      Should the US have some sort of carefully managed moon-shot to get hospitals to run current software? Probably.

      But it needs to be better conceived than the replacement for hanging chads — which brought us non-verifiable voting. And it should be better than the disaster that is the current EMR system.

      It needs to be carefully implemented. If you flood the market with money, fraudsters (and opportunists) will enter the market to soak up all the money.

      Smaller amounts of money allocated to a handful of hospitals to prototype upgrading to current software. Similar amounts of money to other hospitals to experiment with alternative systems. Plus some hospitals that just get extra monitoring as a control group. For the things that work, limited funding to help additional hospitals follow the same models.

  15. The only winners of “health care” are the insurance companies. 80% of all finance spent on “healthcare” ends up with the insurance companies. They are bleeding the system dry and have been for over 30 years. Gaining massive power. If it wasn’t for insurance companies, medical bills would be an average of 75% less. This not only takes money away from insurance victims, it takes it away from the actual health care industry – including the IT portion.

  16. If you think implementing security measures has a negative impact on patient care – just try /not/ implementing security measures and see how things go.

    The study…is not remotely persuasive. The findings are very minor statistically speaking and it even acknowledges that there are plenty of factors external to the actual remediation efforts that could be responsible for the relatively minor change.

    While it’s certainly difficult to get apples-to-apples comparisons, this study’s attempt to do so doesn’t quite live up either. So much changes in hospital/healthcare protocol-procedures-process every year…not to mention who knows what security measures were present before and which were added after…it’s not a terribly useful thing to identify at such a broad level. Security efforts, IT integration, breach remediation – these are not singular things they come in a million different shapes and sizes and to paint them all with the same brush and act like they are inhibiting care is misguided.

    When anyone who works in security could tell you that an increase in security almost always (unless you’ve got a gold-plated or needle in a haystack solution) results in a decrease in usability.

    It’s a fantasy to think hospital systems, or any industry’s systems, weren’t going to be increasingly ‘computerized’ in the past few decades. Resistance to that transition is futile; identifying specific instances of security inhibiting care would be much more useful than a broad pre vs post breach analysis.

  17. How certain are we that this is causation instead of a (in)convenient correlation? Also, wouldn’t it be great if healthcare institutions had an effective Situational Awareness program that could ingest information such as this, disseminate it to the right parties in the organization (Risk Function perhaps), and determine if the risk is residual (accept the risk) or requires a different disposition strategy such as mitigate with compensating controls? This can be tackled by both small and large orgs, they just have to have to dedicate themselves to establishing a process.

    Wow, that was a mouthful.

  18. My thinking here is we might be seeing secondary effects rather than direct causation. Meaning the hospitals with poor health outcomes also have weak IT infrastructure. Both of these fact may simply point to a poorly managed hospital, which is vulnerable to cyber attacks and does a poor job of caring for patients. I would bet that a 3rd data point, like whether the hospital is well funded, or is in a high population density area, or a low income area would clarify things significantly.

  19. I’ve worked in Healthcare for over a decade and one of the biggest reasons why hospitals don’t enforce more security is the clinicians. Because of their positions and trust me its one of significant power. They insist that nothing 1. nothing should ever change their work process 2. Nothing should ever inhibit their work process in any way shape or form.
    The issue then becomes is the administration willing to work with the clinician to make them understand that these are risk that effect patient care and must be addressed. It’s not different than enforcing sanitation standards. Administration often does not have the backbone to enforce or work with them they just give them what they want. I’ve seen it where it is enforced and yes initially it does cause a lot of pain for everyone but over time things settle down.

    • Well perhaps the article is pointing out that the clinicians are right. The data suggests that remediation of security concerns lessen patient outcomes.

  20. As to your closing paragraphs, Brian, that is an old story.

    The willful blindness of hospitals and physicians has a long and documented history: From the 1999 “To Err is Human” study by the Institutes of Medicine to the work of former Alcoa CEO and Treasury Secretary Paul H. O’Neill (listen, e.g., to the podcast at https://www.leanblog.org/2011/07/text-and-quotes-from-the-paul-oneill-podcast-interview/) trying to convince leadership in hospitals to change, it is a depressing legacy of arrogance.

    To err is human, but to admit that error is apparently not a capability known to medicine.

  21. I admittedly didn’t have time to read the paper, but I have a few questions.

    Did they compare heart attack rates across hospitals with more or less mature cybersecurity programs/postures? Could it be that more mature programs with more security measures inherently cause delays that lead to more heart attacks? Another possibility is that it isn’t the cybersecurity measures themselves that lead to delays, but rather that institutions which suffered from a breach or ransomware were less mature to begin with and as a result of the breach, are forcing new security measures in too quickly so haven’t had a chance to do proper training or roll the measures out slowly enough to understand where it slows down critical processes and adjust accordingly?

  22. I’m seeing entirely opposite conclusions from the same observation – what I’m hearing in that description is *not* that ransomware is killing patients, but rather simply the aftermath of a security incident causing security to be prioritised.

    There’s often a tradeoff between security and usability, and in scenarios like this the usability tradeoff is directly linked to people dying. An environment that’s slightly less convenient because of security means that things take just slightly longer, and sometimes that makes a fatal difference. And cutting security corners (e.g. a shared password written with a sharpie on the device, I’ve seen that in a hospital) to make your job (in this case, saving lives) more straightforward comes with an obvious cost to security – so all things like that get reviewed and eliminated after a security incident *without* ensuring that the “proper” processes are as efficient as before (which may be impossible in some cases). There’s a reason why military vehicles often don’t have ignition keys and will allow anyone sitting in them to operate the vehicle if they know how – in that case, efficiency, straightforward operation and robustness is more important than security.

    Also, of course, the “fail-open” and “fail-closed” tradeoff between availability and confidentiality. Do we prioritize doctors being able to access stuff in various kinds of edge conditions, or do we prioritize the privacy of patients health records? Again, we can’t really prioritize both, there’s an inherent conflict.

  23. Criminals Will Take their money one way or other.
    In uk they stopped soft crimes like fraud scams schemes… The heavy and violant crimes rised.

    I think we should be happy that nowdays criminals dont have to Rob you on street but they can take their Money soft ways like using internet ransome schemes.

  24. Need to see the study

    I need to see the study. I’m certain Vanderbilt University has very confident and purposeful oversight of their research processes. But unless you have staff we’ll versed in healthcare data and healthcare processes, it would be easy to misunderstand the data and hence misrepresent the findings.

    That aside with the many ransomware attacks and associated media attention to it, hospital leadership is taking notice and asking questions. While it might not translate to immediate funding, I suspect security funding will increase for the foreseeable future. It has for my hospital.

  25. So, with some approximations using other data in the PBS article (kudos to its author Nathan Akpan), we can attribute 272 avoidable deaths to those hospitals’ incompetence.

    Resistance to ransomware isn’t hard, it’s just basic offline backups and periodic “fire drills” to keep restoration skills current. Doing backups adds zero friction to medical care procedures. There’s no excuse for not doing this.

    Extra authentication doesn’t have to be an operational hurdle, either. My ophthalmologist uses fingerprint authentication on his office’s PCs. Face recognition is even less intrusive, but getting a camera compatible with Windows Hello would requre upgrading to Win10 at a minimum, not to mention integration with the hospital’s Role Based Access Control infrastructure. Not likely to happen unless forced by regulation.

  26. It is just like the news media. If you ignore an issue or story then it never happened.

  27. According to the paper, ransomware increased wait times by 2.7 minutes and 30-day mortality rates by 0.36%.
    According to the 2017 paper you linked to, marathons increase wait times by 4.4 minutes (in the morning) and 30-day mortality rates by 3.3%.

    Given that marathons happen every year, but WannaCry does not, it seems on the information given that marathons are a much bigger killer.

    When people say “Cybersecurity doesn’t kill people” I suspect what they’re trying to say is “It’s not as big of a deal as you’re saying”.

  28. The study is by idiots who’ve never spent a minute talking to the people who treat heart attacks.

    The EKG machines are entirely capable of being used without network attachment and heart attack medicines are available without computers. Power outages and network outages will not prevent or delay any EKG or medical treatment.

    Yes, electronic health records are convenient for coordinating care beyond the emergency setting, but they’re not necessary. Medicine and hospitals existed long before EHR and function just fine by paper and pen…. and more securely.

    In fact, the only real benefit to EHR is higher billing reimbursements, as clinical staff are enlisted into completing forms and clicking the drop-down menus that provide billing data.

  29. Eventually lawyers will get a hold of this. I can almost hear the commercial now:

    “Did you or a loved one die from a heart attack while your hospital was impacted by a ransomware outbreak? You may be entitled to compensation. Call 1-800-GET-CASH now!”

  30. Now that it’s documented, murder through cybercrime should be treated as such. Cyber criminals have so far been getting off with lenient sentences similar to those of white-collar criminals. Yet what we are dealing with here is murder. And because it is now documented and public, the excuse “I was only in it for the money” no longer flies. Indeed, it now becomes premeditated (i.e. 1st degree) murder.