A recent study by UC San Diego (UCSD) analyzed a ransomware event that occurred at a nearby Scripps Health facility ER, as well as one also located close by at a UC San Diego hospital. The study compared the four-week time periods before, during, and after the attack. As reported by NPR, the study found the Scripps event grave enough to consider hospital ransomware attacks a "regional disaster," with the number of attacks expected to increase.
While analyzing the month-long event at Scripps, researchers discovered that the UC San Diego ED had “significant increases during the cyberattack in daily census, emergency medical services arrivals, patients leaving without being seen or against medical advice, median wait times, ER lengths of stay, stroke code activations, and confirmed strokes.” Results from the study were published in JAMA Network Open.
According to NPR findings,in the weeks following the Scripps breach, the number of patients waiting in the UC San Diego ED increased by 600, and the number of patients leaving without being seen increased by more than twice the normal amount. Additionally, there were more than twice as many confirmed strokes and almost twice as many emergency stroke code activations, according to the team of researchers at UCSD.
Jeff Tully, M.D., co-author of the study and assistant clinical professor at UC San Diego, said “there needs to be more data made available, so health systems within a region can begin conversations surrounding coordinated emergency response protocols to hospital cyberattacks, in the same way they exist for natural disasters or other major emergencies.” MITRE, a nonprofit that conducts various research for the U.S. government, told NPR they are engaged in research to understand the interconnectedness of infrastructure systems to avoid another regional disaster like in San Diego.
In addition to the Scripps ransomware event, other areas of the country are also experiencing similar cybersecurity attacks in healthcare facilities. Separate health data breaches have been reported by Oregon-based digital health firm Kannact, Massachusetts-based mental health and addiction treatment center New Horizons Medical, and Philadelphia-based orthopedic clinic Vincera Institute. In each case, thousands of patients had their personal information (SSN, date of birth, driver’s license number, etc.) as well as healthcare information (medical record numbers, and prescription, insurance, and treatment details) compromised.
NPR also reported that patient advocacy groups are now making sure that patients are part of the cybersecurity conversation. Andrea Downing, who runs a patient information security advocacy group, said physicians “should be informing patients of cybersecurity risks before treatment, not after a security incident.”