- A university study deduces that ransomware kills hospital patients due to service disruption and delays.
- On average, patients will receive care 2.7 minutes later during cyber-attack remediation periods.
- More studies like this one have to be conducted in order to understand the effects of ransomware on a true scale.
As reported by Krebs on Security, ransomware attacks hitting hospitals have real and measurable negative effects on the survival of patients. Unfortunately, hospitals are places where life and death situations are often decided in the details, and time plays a pivotal role in that. Even the slightest disruption caused by a ransomware attack can lead to the death of a person, either directly or indirectly, and this raises two issues. First, hospitals need to implement absolutely robust defense systems against cyber-attacks. Secondly, ransomware actors must be treated as criminals of the highest degree and punished as such.
A recent study that highlights these findings comes from researchers at Vanderbilt University, and the Department of Health and Human Services. The researchers have analyzed the healthcare data of 3,000 certified hospitals, 10% of which suffered a data breach between 2012 and 2016. These medical institutions showed an increase of 36 deaths per 10,000 heart attacks per year, compared to the unaffected 90%. In the targeted hospitals, patients received an electrocardiogram 2.7 minutes later than the average standard, which can make a significant difference when dealing with a case of emergency.
While we all know that severe cyber-attacks have tangible effects on the lives of people, studies like this one are rare. For example, the unprecedented disruption caused by WannaCry in the U.K.’s national healthcare system hasn’t been determined, but the financial losses were estimated at about $100 million. In addition, 8% of the hospitals in the country were forced to divert emergency cases to other hospitals, so the mortality rates during that period were undoubtedly affected. For action on multiple levels to be taken, studies like the one from Vanderbilt need to start popping up more often.
The study also concludes that the implementation of IT health systems comes with unanticipated challenges that are magnified by inadequate personnel training, leading to usability problems and implementation hindrances. Unexpected errors along the way are inevitable, no matter how well prepared a hospital may be. Very similarly, the remediation of data breaches brings a host of challenges that are particularly aggravated in complex environments like that of a hospital. That said, implementing defense mechanisms isn’t enough. The personnel needs to be trained on how to cope with data breaches, and how to enter the remediation phase with minimal impact on the patients’ health.