Cyberattacks are undermining patient care and their trust
With nearly a ransomware incident occurring every day and major incidents threatening patient safety and raising caregivers’ workloads, senior execs are getting alarmed.
Cyberattacks are no longer simply inconveniences that impact provider operations – they are increasingly having an impact on patient care, delaying treatments and affecting safety.
That reality is becoming increasingly apparent as the industry is battered by spates of high-profile attacks that are interrupting services, and resulting in significant disruptions and cost.
In addition, high-profile attacks against provider-adjacent vendors or ancillary service providers have devastated providers by interrupting cash flows or compromising patient data. Attacks such as that on Change Healthcare have drawn congressional attention and widely impacted payments to provider organizations.
And as the healthcare industry continues to digitize records and computerize operations, the potential damage that could be caused by cyber criminals is becoming clearer to the nation. And as patient safety is brought into the crosshairs, many experts see multiple reports of hackings eventually impacting patient trust in organizations' ability to protect their most sensitive health data.
More digitization, risk and criticality
After nearly 15 years of support from federal stimulus programs and industry efforts, electronic health records systems (EHRs) are more widely used than at any time in the nation’s history. More than 96 percent of hospitals and 78 percent of physician offices now use electronic health records certified through the ONC Health IT Certification Program, according to information recently released by the Office of the National Coordinator for Health Information Technology.
But as healthcare providers lean more heavily on these systems for patient care, the risks of cyberattacks causing interruptions in information flows necessary for treatment have risen.
Attackers increasingly are using ransomware, which holds data and systems hostage, pressuring providers because such attacks cut off access to records. The healthcare sector reported 249 ransomware attacks to the FBI in 2023, making it the leading sector targeted by criminals.
Those risks became clear this past May, when Ascension, a St. Louis-based hospital system that operates 140 hospitals across 19 states, had records systems shut down by a ransomware attack. Two nurses who requested anonymity told CNN that the lack of access was “putting patients’ lives in danger,” noting the burden caused by charting on paper and because safety systems used within the EHR were not available, and because of the lack of easy access to lab test orders and results.
A report by NPR further details the challenges faced by Ascension. It cites an interview with Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, who noted that after so many years of relying on digital systems, "It's kind of like we went back 20 years, but not even with the tools we had then. Our workflow has just been really unorganized, chaotic and at times, scary."
A cyberattack last year resulted in disruptions to operations at Manchester (Conn.) Memorial Hospital, forcing the facility to divert emergency care patients to other hospitals in the region, according to an analysis by the Connecticut Mirror.
The breach affected three Prospect Medical Holdings, impacting operations for more than 40 days. Administrators at Manchester Memorial and another of its facilities issued 29 “divert notifications” to emergency personnel throughout the region, according to ambulance dispatch logs obtained by The Connecticut Mirror. The publication’s review of records obtained from the state Department of Public Health shows the facilities had to cancel nearly half of scheduled elective procedures and at times couldn’t process X-rays or CT scans.
A ransomware attack at Lurie Children’s Hospital in Chicago took months to resolve, with patients experiencing delays or slowdowns in fulfilling prescription refills, scheduling appointments or reaching healthcare providers via normal communication channels. The Cyber Management Alliance detailed delays in emergency care delivered to children, as well as challenges in delivering test results.
Additionally, the problem has spread worldwide. In June, NHS England said two NHS trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – were affected by a cyberattack that targeted Synnovis, a pathology services provider. By mid-month, BBC reported that more than 1,130 planned operations and 2,190 outpatient appointments have been postponed at the London hospitals.
Attacks on vendors also cause disruption
The cyberattack in London exemplifies the inherent threat of how providers are at risk to attacks on vendors servicing them.
For example, the Change Healthcare attack has had profound implications for the financial health of provider organizations. Change, a unit of UnitedHealth Group, in late February was hacked by a ransomware gang. The attackers took as much as 4 terabytes of data, including personal information, payment details, insurance records and other sensitive information.
The impact was immediate, because Change serves as a clearinghouse for providers for large payers, such as Medicare and Medicaid. It also plays an important role in managing clinical criteria for pre-authorization, verifying coverage and processing patient claims to third parties. After the attack, the clearinghouse was forced to take key operations offline.
The incident prompted guidance from the Centers for Medicare & Medicaid Services (CMS) for enabling providers to change clearinghouses and continue payments and funding to providers and Medicare Advantage organizations.
The Change Healthcare incident underscores the dependency of the nation’s healthcare system on continuity of funding and information exchange, leaders noted. An article on the attack quoted Rick Pollack, president and CEO of the American Hospital Association, as saying that “the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” And it quoted a member of Congress members saying that “the breach of Change was tantamount to targeting the healthcare system in its entirety.”
“This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem,” the CMS statement noted. “That’s why, in December 2023, HHS released a concept paper that outlines the Department’s cybersecurity strategy for the sector. The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients and communities threatened by cyber-attacks.”
A similar incident occurred in late July, when OneBlood, a non-profit organization supplying blood and blood products to about 350 hospitals in the Southeast, was hit by a ransomware attack that disrupted some operations to deliver blood. The American Hospital Association noted that the attack impacted care, noting that “hospitals have put conservation and prioritization strategies in place.”
The OneBlood attack followed similar incidents involving blood suppliers Synnovis and Octapharma, AHA noted. The attacks “have resulted in significant disruption to patient care, including canceled elective surgeries,” said John Riggi, AHA national advisor for cybersecurity and risk. “This incident once again reminds us that any cyberattack against any entity that results in the delay and disruption to life-sustaining care is a threat to life. It also reminds us that our cyber adversaries are increasingly and intentionally targeting healthcare mission-critical and life-critical third-party service providers and supply chain to cause maximum disruption.”
Measuring the cost, seeking a response
Beyond patient safety and care disruption worries, costs of recovering from breaches have remained high, and cash-strapped provider organizations are struggling to meet the costs of recovery. And those costs don’t always include the lost revenue resulting from downtime, treatment delays, interruptions in billing or productivity losses.
Healthcare breaches are the most expensive to resolve among all industries, according to an article in Digital Health Insights. The findings are based on research from IBM and the Ponemon Institute, which analyzed a sample of data breaches occurring from 2023 to February 2024, and established the average cost of a healthcare cybersecurity incident at $9.8 million. This data did not include the massive costs of the Change Healthcare cyberattack or this year’s CrowdStrike event, which involved an update to protection software that briefly crippled software systems in various industries – a kind of a self-inflicted injury that, ironically, was precipitated by jittery organizations trying to defend against cyberattacks. The analysis noted that “data breaches have been getting more expensive every year since 2018, although new technologies, including artificial intelligence, are helping reduce the time it takes to identify and contain a breach.”
Organizations impacted by massive breaches are reporting huge charges to resolve issues. For example, UnitedHealth Group in reporting its second quarter results this past July estimated that the total cost of the Change Healthcare breach will reach $2.3 billion and $2.45 billion, in 2024. Those costs will include data breach response and mitigation, operational disruptions, regulatory fines and legal fees, customer compensation and support, and reputational damage.
Ascension’s financial performance was degraded by the anticipated costs of recovering from its spring cyberattack, its financial reports noted. The organization ended its fiscal year on June 30, 2024, and through the first 10 months of the fiscal year, it reported a loss from recurring operations of $79 million. However, in May and June, “operations were impacted by the May cybersecurity incident … resulting in reduced revenues from the associated business interruption along with costs incurred to remediate the issues and other business-related expenses.” For the fiscal year, including extraordinary charges, Ascension reported operating margin loss of $1.8 billion of loss, including the impact of the cyber attack and other one-time expenses and losses.
Still, the growing risks to patient safety are weighing heavy on the industry, and a broad response is necessary to preserve the continuity of care delivery and protect sensitive patient information, industry leaders say. The growing risks are gaining the attention of C-suite executives, who are assessing the growing risks faced by patients and organizations.
“The most important defense is to instill a patient safety-focused culture of cybersecurity,” wrote John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association. “This enables healthcare organizations to leverage their existing culture of patient care to impart a complementary culture of cybersecurity … where the staff members view themselves as proactive defenders of patients and their data, (which) will have a tremendous impact in mitigating cyber risk to the organization and to patients.”