The recent ransomware attack against Tri-City Medical Center in Oceanside is the latest reminder that digital attacks damage far more than the privacy of sensitive electronic records. Patients who happen to be unlucky enough to have been receiving care when systems turn against their owners find themselves caught in an efficient machine with many of its parts missing.
Suddenly, their nurses can no longer check their computer-based charts to confirm the last time their vital signs were checked. X-rays and other forms of medical imaging — long ago having made the transition from film to digital files — often can no longer flow from the room where they were taken to the doctors who must view them to make critical health care decisions. Automated medication tracking and dispensing systems can also go offline, making it more difficult for patients to received prescribed medications on schedule.
Chris Van Gorder, chief executive officer of Scripps Health, recalled the sheer enormity of the problem that hit his health care system in May 2021. Immediately, he said, leaders were forced to ask themselves some very sobering questions about patient safety.
“Think about it, we have patients that require radiation therapy every day, and that’s all computer driven,” Van Gorder said. “It’s do we have anybody in the operating room right now? What are we going to do in the emergency department, in the trauma center? Do we need to evacuate patients to a different setting? Do we believe the patient is safe with us?”
And this conversation, for an organization simultaneously operating four different hospitals on five campuses plus dozens of outpatient facilities, must happen at a moment when the normal electronic modes of communication have been shut down.
A sudden return to, say, paper records and manual medication calculations will quickly be a profound shock to operations in ways that are never obvious before a ransomware attack arrives.
“We had residents in training and young doctors who didn’t know how to write a prescription because today we do it electronically and the computer will just tell you these are the dosages for this person with this weight,” Van Gorder said. “Now they had to do it from memory.
“I ran into one of our doctors at Mercy San Diego, he goes, ‘I love this, isn’t it great? I never liked the electronic record,’ and I ran into young residents who are going, ‘I don’t know what to do, I don’t know what to do.’”
In the end, the executive said, millions spent on investigations turned up no conclusive answer as to how attackers penetrated Scripps’ system. Government investigators, he said, concluded that Scripps was following industry-standard security practices when the attack occurred.
While there is an entire industry of experts who has been documenting the digital impact of cyber terrorism for decades, comparatively little has been written about the impacts of such breaches on patients. But that is starting to change as these incursions become more frequent.
One paper, posted just last month by a group of researchers at the University of Minnesota School of Public Health entitled “Hacked to Pieces,” uses a close examination of Medicare claims at 74 of 163 hospitals from 2016 through 2022, finding a “20.7 percent relative increase in in-hospital mortality” for those who were hospitalized at the time of an attack when compared to “mortality rates of patients discharged in the five weeks prior to the attack.”
Not yet peer reviewed or published in a medical journal and involving only about half of Medicare patients, the study is an intriguing first approximation of the kind of research necessary to quantify the damage that cyber attacks can do to to real people.
UC San Diego Health is itself already heading down this avenue of investigation, gaining momentum from a $9.5 million contract with the Advanced Research Projects Agency for Health, funding a new Center for Healthcare Cybersecurity at the university.
Dr. Christian Dameff, who was named UCSD’s first medical director of cyber security in 2019, serves as co-principal investigator of the new center with Dr. Jeff Tully.
On May 8, the team published its first piece of ransomware research, examining the spillover effects of an attack in its own backyard. Researchers evaluated nearly 20,000 emergency department visits before, during and after a ransomware attack that occurred in San Diego County on May 1, 2021. Though the attack was clearly the month-long hacker assault that shut Scripps Health down for a full month, the health system’s name is not included in the peer-reviewed literature.
Scripps and UCSD happen to operate hospitals in Hillcrest and La Jolla that are within walking distance of each other, making it only natural that when the former’s emergency departments were impacted, patients would naturally migrate to the nearest comparable medical center.
Looking at the statistics of the care that was provided at UCSD hospitals, researchers found statistically significant increases not just in the number of patients arriving for care during the attack, but also in the amount of time they stayed in beds and even in the number of strokes serviced. That number nearly doubled, increasing from 22 to 47.
The takeaway: “Targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.”
Speaking this week, Dameff declined to discuss the recent attack against Tri-City that severely impacted the hospital’s operations, reportedly forcing doctors, nurses and technicians to return to paper record keeping and diverting ambulances to other hospitals while simultaneously postponing all non-emergency surgeries and other procedures.
But he did say that the university’s new cyber center is dedicated to quantifying how cyber attacks affect health care delivery. While there is plenty of deep research on the technological side showing how malicious programs can exploit digital infrastructure from computer servers to network routers, less is known about how patient care suffers.
“Yes, the technical side of this is important, but more important is how do we make sure we can maintain great patient care despite these challenges?” Dameff said. “Not a lot of people have ever looked at this question, but it’s one that we are definitely going to try to answer.”
While the center will work with computer scientists to study how ransomware attacks might be more quickly detected and deflected, the physician said there will also be a strong focus in pragmatic approaches for helping health providers cope with successful attacks. It’s an acknowledgment that, with the complexity of today’s technology, and the increasing deviousness of hackers, some invaders will still find ways to breach the gates.
One near-term project is researching the feasibility and practicality of equipping hospitals with what amounts to separate sets of digital equipment for use only in emergencies.
As many attacks on health care providers, including those at Tri-City and Scripps, have shown, detection of a ransomware attack forces the immediate shut down of all critical systems.
The idea, Van Gorder explained, is to give experts time to painstakingly search through every piece of equipment, examine every file for malicious software installed before attackers made their presence known.
“It’s not just the computers, it’s not just the laptops, it’s certainly every major piece of medical equipment,” Van Gorder said. “Today, even the IV pumps are computerized and connected to your system, and virtually everything can be an entry point for an attack.”
Failing to check each and every possible hiding place can mean a fresh disaster.
“If there is basically a Trojan (horse) still left in your system that you didn’t find, it could be monitoring things and come back and bite you later on,” he said.
That period of technological paralysis, Dameff said, seems a place that deserves significant focus. What might happen if hospitals had a separate data network they could deploy quickly when front-line infrastructure was under quarantine?
The center, he said, is working on a prototype of just such a system. It will be necessary, he said, not just to come up with something that could work but also something that could be widely applied.
“There’s this interesting conundrum with ransomware where it’s like what infrastructure can you trust?” Dameff said. “With our system we hope to alleviate that to some degree by just bringing in ‘trustworthy’ protected and hardened systems that can potentially be resilient to these attacks and that can work in parallel to infected systems so that you can continue to do clinical care.”
Much research is necessary, he said, to come up with best practices for hospitals to identify their own specific bottlenecks and technological dependencies.
“I personally feel like we need to do a lot of work to address what we do after these attacks occur,” Dameff said. “We need to improve how quickly we can restore clinical operations to a safe state, and being able to do that will pay dividends way beyond cyber with other incidents like natural disasters and wildfires.”
