Healthcare Innovation sat down with Hannah T. Neprash, Ph.D., assistant professor, Division of Health Policy and Management, University of Minnesota School of Public Health, lead author of an “Original Investigation” in JAMA Health Forum, entitled “Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021.” We reported on the study here. She shared her perspectives on the troubling results and insights on what’s next for the future of cybersecurity in the healthcare sector.
Were you troubled by the results you found?
Totally. It's scary to see this type of cybercrime happening in healthcare because healthcare only works if providers can take care of patients at the time they need care. And I think that ransomware attacks are designed to disrupt business operations and in healthcare, that means not being able to provide care, for example, for a person who comes into the ER having a heart attack. That is scary because lots of healthcare has to happen quickly in order for patients to recover fully. I think that I think that's the source of the concern about ransomware attacks, specifically targeting the healthcare sector.
How can ransomware attacks affect an organization’s bottom line?
I think there are a lot of ways that a ransomware attack can harm the bottom line for a healthcare delivery organization. The most obvious one is if you choose to pay the ransom, the demanded amounts will continue to go up and up and up. So, that that's one cost, but I think that's a small share of the of the actual cost.
There's the cost of lost business revenue, as well. If you have to cancel surgeries, if you have to divert ambulances, that those are patients you're not taking care of and you can't bill for. Then, there's the reputational cost. Nobody wants to have to admit that they fell victim to a ransomware attack. There's the cost of class action lawsuits which seem to be happening more and more and are gaining some traction. One of these lawsuits is specifically about a ransomware attack where patients said, “You knew this was a threat and you didn't protect our information adequately.” And they [patients] were successful in that argument. So I think that's another area where this type of cybercrime can really harm the bottom line for an organization.
What are some advantages of organizations spending funding on cybersecurity programs?
I think this will be an especially relevant question as the Biden administration tries to develop minimum cybersecurity standards for hospitals. Right now, the data I've seen suggests that cybersecurity spending is a tiny share of the overall IT budget for most hospitals. So, there's a lot of room to grow, and a lot of room for improvement. But with that said, if you spend $1 on cybersecurity, you can't spend it on something else. So I think I think it's tough, and that's why I'm hopeful that if there do wind up being minimum cybersecurity regulations developed, that apply to all hospitals, that there's also some sort of subsidy that's paired with that. Maybe something like a Workforce Investment Program, because a lot of these hospitals, even if they have the cash and they want to hire somebody, might not have access to someone with the expertise to enact effective cybersecurity measures.
And then of course, there's the challenge of convincing doctors and nurses and all the other staff that this is important and that this is worth a little bit of annoyance—for example, having to do two factor authentication. I think one of the reasons this is such an issue in healthcare is because nobody in healthcare is thinking, is this a phishing email? They're thinking about, how do I help my patient recover from whatever it is they're going through. So having a distracted workforce like that is definitely a challenge.
Why do you think it is so hard to get cybersecurity legislation passed in the healthcare sector?
The thing I keep thinking about is, that it's fairly recently that healthcare has embraced digital records—getting everybody to switch from pen and paper to electronic health records took so much effort and so much time and so much money. Now there's these unintended consequences that all of those systems are vulnerable to this type of attack. I think that it's just like something about healthcare, it is just a little slower to adapt certain technological innovations, especially if it makes it harder to deliver care or if it changes people's routines. That’s kind of more of an answer to an operational-side question.
On the legislative side of things, I suspect the answer has something to do with money. There is so much money in healthcare and every time someone does something it affects the bottom line for that someone. My best guess is there is a lot of lobbying going on and a lot of competing interests.
How long did it take you to put this study together?
It took about a year with four students working for me, and then all of my collaborators helping out. It was a lot of work to assemble this information, but I mean, the motivation was really that I just I kept seeing anecdotal stories about one system experiencing a ransomware attack. And I just couldn't find any broader statistics or data that was available. There was a gap to fill, and it was a lot of work, but now we can use it in a bunch of different ways.
The next project is to compare hospitals that have and have not experienced a ransomware attack to try to understand who is especially vulnerable. And hopefully that could then be used to target assistance to them right to try to improve cybersecurity standards. And then of course, the big thing that we want to do is look at what happens to patients, both in safety and ultimate outcomes—if they needed care at the time that their local hospital is having a ransomware attack.
Do you think the number of ransomware attacks will increase in the next five years?
Our study only went through 2021, but by all evidence 2022 was even worse. That was the year of the CommonSpirit attack, and this is not a problem that will go away on its own. But with that said, it seems like there's a lot of energy to do something. There are all these proposals, whether they're actual legislation or just people talking and developing. I think that within the next five years, there will be action to combat this. And so I'm optimistic that we won't just see this trend continuing, unabated.
