We tried to quantify how harmful hospital ransomware attacks are for patients. Here’s what we found

This article is part of a partnership between First Opinion and Tradeoffs, a nonprofit news organization exploring our confusing, costly, and often counterintuitive health care system. To learn more about how ransomware hurts hospitals and patients, listen to a deeper dive from Tradeoffs, and subscribe to never miss an episode.

On a Thursday in early August, staff at Manchester Memorial Hospital in Connecticut realized they’d been hit by a ransomware attack. What happened next is the stuff of nightmares. Manchester Memorial had to ask ambulances to take emergency patients elsewhere. They cancelled elective surgeries and worked without access to essential imaging equipment like X-rays and CT scans. With their electronic health records inaccessible, clinical staff had to revert to pen and paper. It took nearly six weeks before Manchester Memorial declared “all services back online.”

And they weren’t alone. The same ransomware attack disrupted operations across the 16 hospitals and numerous other health care facilities within the Prospect Medical Holdings health system. Rhysida, the ransomware actor claiming responsibility, advertised 1.3 terabytes of stolen patient data for sale on the dark web, for an asking price of 50 bitcoin (roughly $1.3 million).

For many in health care, the transition from paper to electronic records still feels fresh. How could cybersecurity already be an area of weakness?!? And yet, research shows that health care providers face a growing threat of cyberattacks like what happened to Manchester Memorial Hospital.

Ransomware attacks, in which hackers disrupt business operations and/or encrypt sensitive data until the victim pays up, are the most common cybersecurity threat facing health care providers today. While this is inconvenient and damaging regardless of industry, in health care, cyberattacks interrupt care delivery and threaten patient safety. The question is, exactly how much damage can they do? That’s what we’re trying to find out.

Health care is a hacker’s playground for a few reasons. First, it’s a maze of electronic systems — many of which are essential to providing care. This includes EHRs, imaging machines, scheduling and communication software, electronic monitoring equipment, telehealth platforms, and so many others. Second, many users of these electronic systems are distracted, and thus are susceptible to hackers’ infiltration techniques. Put another way, physicians, nurses, and other clinicians aren’t focused on identifying phishing emails; they’re trying to help sick patients! Third, health care can be a matter of life or death, particularly in hospital settings. When a ransomware attack forces providers to choose between paying the ransom and providing inadequate care, the former may be a legitimate choice, though it goes against every recommendation from law enforcement.

Although ransomware attacks pose a real danger to patients, research has yet to quantify this threat. In our recently released working paper (summarized here), we provide some of the first evidence on this topic by documenting just how devastating ransomware attacks are to hospital operations. We found that during the first week of a ransomware attack, patient volume falls by roughly 20%. Revenue decreases by that much or more, showing a 40% drop in the emergency setting. Hospitals are forced to treat fewer patients during ransomware attacks, and they provide less care (especially imaging and testing services) for the patients they do treat. We see this across multiple hospital care settings: emergency room, inpatient, and outpatient.

It’s not hard to imagine how a ransomware attack translates into harm for patients. Without access to the EHR, a care team might not know what medications a patient is on or what they’re allergic to. Without imaging, clinicians are flying blind as they make diagnoses. When lab results have to be hand-delivered (instead of uploaded to a patient’s chart), treatment is delayed. Without electronic monitoring equipment, nursing staff might not be able to monitor patients’ condition without physically being in the room. If an ER has to activate ambulance diversion protocols, patients may spend precious time traveling to an alternative facility before they receive care for time-sensitive conditions. This is especially concerning for urgent conditions like heart attack and stroke, where time to treatment has well-documented implications for survival.

And yet, we are only just beginning to understand how ransomware attacks affect patients’ health outcomes. Our research shows that ransomware attacks increase in-hospital mortality for patients admitted to attacked hospitals. To many, this will seem like proof of the obvious, but as health economists, we believe that data speak louder than anecdotes or beliefs. In normal times, roughly 3 in 100 hospitalized Medicare patients will die in the hospital. During a ransomware attack, that number goes up to 4 out of 100. From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients.

The true number of deaths caused by ransomware attacks is likely even larger, when you include patients with other types of health insurance coverage. The morbidity effects of a ransomware attack (i.e., how delays in care make existing conditions worse) are as yet unknown.

When seeking to understand the impact of a ransomware attack, we must think beyond each individual hospital to the health care system as a whole. Ransomware attacks don’t just affect the attacked hospital; they also affect other hospitals and patients nearby. Consider a hospital forced into ambulance diversion during a ransomware attack. Patients who would have gone to the attacked hospital must go elsewhere, potentially crowding nearby hospitals. A case study of a large, urban ransomware attack showed how nearby hospitals that were not attacked saw an increase in their ER patient census, ambulance arrivals, and waiting room times. Similarly, averaging across hundreds of hospitals in our database, we find no change in area-level ER volume despite large decreases in ER volume at attacked hospitals, suggesting that other facilities must pick up the slack.

This should change how hospitals and policymakers think about the scope of this issue. While it is true that less than 5% of U.S. hospitals experienced a ransomware attack from 2016-2021, this understates the problem. A better way to capture the true impact is to say that approximately 25% of all hospital markets experienced a ransomware attack and its potential spillover effects.

As we begin to quantify the frequency and patient implications of ransomware attacks, two priorities emerge from our research. First, let’s prevent cyberattacks (ransomware and others) from happening in the first place. This means investing time, money, and person-power in cybersecurity. Historically, hospital investment in cybersecurity has been scant. Recent evidence suggests this is changing, though there is still considerable room for improvement when it comes to compliance with widely recognized Health Industry Cybersecurity Practices. Policymakers interested in incentivizing uptake of evidence-based cybersecurity recommendations should carefully consider a combination of sticks (e.g., requirements for minimum cybersecurity investments, such as those recently proposed by New York regulators) and carrots (e.g., subsidies for small, rural, and safety net hospitals).

Policymakers should also consider longer-term changes, such as workforce investments and insurance market reforms. Hospitals (particularly those in rural areas) report challenges hiring and retaining qualified cybersecurity professionals. The cost of cybersecurity insurance coverage has risen dramatically in recent years, leading some hospitals to drop their policies (which have simultaneously become less generous). These patterns indicate an opportunity for regulation of the cybersecurity insurance market to prevent an adverse selection death spiral from possibly unraveling the entire market.

Second, since we’ll likely never get the number of cyberattacks to zero, let’s design incident response protocols to ensure patient safety. The motivation for this priority comes directly from our research findings: More severe ransomware attacks (i.e., the ones that force ambulance diversion and care cancellations) are more harmful to patients. If we can reduce the disruptions caused by ransomware attacks, we can save lives. Doing this requires careful planning, not only at the hospital level (as recommended recently by the Joint Commission), but also at the local community and overall health system levels. Incident command systems, typically used during natural disasters and other emergencies, may provide a useful starting point for this type of coordination across actors.

Cyberattacks on hospitals and other health care providers seem unlikely to abate, so long as they remain profitable for the hackers perpetrating them. Identifying solutions is a challenge for health care administrators, regulators, and policymakers alike, but must be a top priority in light of the patient safety implications. Our work is merely a first step toward documenting the cost — in dollars and human lives — of inaction on this issue.

Hannah Neprash is an assistant professor of health policy and management at the University of Minnesota School of Public Health. Claire McGlave is a doctoral student in health services research, policy, and administration at the University of Minnesota School of Public Health. Sayeh Nikpay is an associate professor of health policy and management at the University of Minnesota School of Public Health.