Early findings from the Cybersecurity and Infrastructure Security Agency link ransomware attacks on hospitals and patient mortality, according to an Aug. 19 report by The Verge.
Burlington, Vt.-based UVM Health Network was struck by a ransomware attack in October and couldn't access its EHR for nearly a month. Every computer was infected with malware. The system had to delay some appointments as COVID-19 ramped up in the winter.
Seven things to know:
- A team from CISA examined the cyberattack, looking at excess deaths, or the number of deaths above normal during a specific time of year, during the pandemic. Since hospitals were overburdened, other hospitals were not able to absorb patients from other hospitals. Findings suggest that patients did worse in hospitals recovering from a cyberattack than in hospitals that were not.
- "We should stop pretending that there is no harm to human life from cyber attacks," said Josh Corman, senior advisor to CISA. "The findings, which are still unpublished, should help push back on any groups hesitant to say that cyberattacks are dangerous for patients."
- The CISA team found that once an area had a certain percentage of intensive care unit beds filled, they were more likely to see excess deaths two to six weeks later — known as the inflection point. With this in mind, CISA looked at the excess death data in Vermont during the ransomware attack on UVM. The team found that during the same time period, hospitals affected by the ransomware reached the inflection point.
- "You're reaching that danger zone where you're going to see excess deaths two, four and six weeks later more quickly," Mr. Corman said. "We can now tell that cyber disruption introduces degraded or delayed patient care."
- "We have not seen the data or the report referenced in the article, but we are incredibly proud of our team who continued to deliver safe, high quality care to our patients throughout the duration of the cyberattack last fall and in the middle of an ongoing pandemic," according to a UVM statement shared with Becker's.
- Researchers on the project said Vermont might fare better than other states that have poorer overall health.
- Mark Jarrett, MD, chief quality officer at New Hyde Park, N.Y.-based Northwell Health, said he thinks an analysis on the harm to patients who don't die can be helpful. He also said hospitals facing a ransomware attack should analyze what went wrong and what the implications were for patients, Dr. Jarrett said. "Clinicians, in general, tend to think of this as an information technology issue, and it really isn't. It's a patient safety issue."