Hospital Cyberattacks May Disrupt Other Nearby Emergency Rooms, Study Warns

Cyberattacks on hospital systems can disrupt patient care in nearby, untargeted emergency rooms, especially those without a cybersecurity surge plan.

As the healthcare industry faces an ever-increasing risk of cybersecurity attacks, a new study highlights the importance of hospitals having coordinated plans in place to manage a potential influx of patients, which may occur when a neighboring medical facility is attacked.

In a report published this month in the Journal of the American Medical Association (JAMA), researchers found that a cyberattack on one hospital significantly impacts the ability of two neighboring emergency departments to provide effective patient care.

The study results come as federal regulators grapple with the growing threat of cybersecurity breaches in the medical field.

According to the U.S. Food and Drug Administration (FDA), cyberattack attacks on the healthcare industry escalated throughout the COVID-19 crisis. During the pandemic, the agency reported a 457% increase in attempted cybersecurity breaches, including reconnaissance activities, denial of service, and attempted exploitation.

Hospital Cyberattacks Strain the Limits of Nearby Emergency Rooms

In this new study, researchers from the University of California, San Diego examined two academic urban emergency departments (EDs) adjacent to a healthcare system that had experienced a month-long ransomware attack.

They evaluated a total of 19,857 adult and pediatric visits at the two adjacent EDs by grouping the visits into three categories: the pre attack phase, the attack and recovery phase, and the post attack phase.

The pre attack phase was defined as the four weeks leading up a ransomware attack at the targeted healthcare system, the attack and recovery phase was defined as the four weeks that the healthcare system was actively managing the cybersecurity attack, and the post attack phase was defined as the four weeks following the cyberattack and recovery period.

Following their analysis, the researchers determined that the emergency departments adjacent to the healthcare system undergoing the cyber-attack had a 15% increase in daily average patient volume during the attack phase. The average number of ambulance arrivals at the emergency departments increased by over 35% during the attack phase.

In addition, the number of patients who left the emergency departments against medical advice surged during the attack phase by more than 50%. Median waiting room times at the nearby EDs rose by almost 48% throughout the attack phase, and the average length of stay for admitted patients at the nearby emergency departments increased by almost 40% during the attack phase.

Emergency Departments Without Cybersecurity Surge Plans Are Vulnerable

The researchers also noted that the two emergency departments adjacent to the hospital undergoing a cyberattack struggled to recover from the resulting surge in patient volume. Daily average patient visits at the emergency departments were still higher than the pre attack phase throughout the four weeks following the cyberattack and recovery period at the nearby affected hospital.

Researchers suggested several protective protocols that the two neighboring emergency departments should have had in place to reduce the effects of a neighboring medical facility experiencing a cyber-attack. These suggested guidelines include enhanced communication and coordinated patient surge planning across regional healthcare organizations during and after an active cyberattack.

Other suggested measures included limiting elective surgeries at facilities adjacent to hospitals undergoing an active cyberattack and identifying high risk ED visitors, such as stroke and trauma patients, to increase efficiency of patient care during surge periods.

Cybersecurity Concerns in the Healthcare Industry

Cybersecurity threats in the healthcare field have been a growing concern over the last decade, as vulnerabilities to healthcare organizations’ electronic record systems and medical products have surfaced.

Earlier this month, for example, federal health officials warned that certain diagnostic DNA sequencing devices are vulnerable to remote hacks that could access private patient information.

In March 2022, a medical device cyber safety report revealed cybersecurity gaps in 150,000 infusion pumps designed to deliver controlled doses of fluids and medications were vulnerable to cybersecurity breaches. The report followed a 2019 Medtronic MiniMed Insulin pump recall initiated after the manufacturer discovered that remote hackers could potentially alter the dosage settings on the devices and cause life threatening complications for users.