Recent Study Suggests Healthcare Cyberattacks on Par with Regional Disasters

Sarasota, FL (WorkersCompensation.com) – Since the first of the year, there have been a 192 healthcare data breaches reported according to the U.S. Department of Health and Human Services breach portal. Comparatively, there were 134 breaches reported during the same time span for 2022. 

Through radical changes initiated by the Health Insurance Portability and Accountability Act (HIPAA) privacy law in 1996, healthcare has become more connected. While the seamless transition of information from one facility to another has quickened the flow of patient care, that process has also created a certain level of risk of data breaches through cyberattacks for all of those facilities. 

The number of cyberattacks have been increasing, especially as healthcare is now critically dependent on internet-connected computer networks. With personal information that is often duplicated and shared between organizations in the process of patient care, healthcare is a prime target for thieves. Even with advanced measures and testing, ransomware and malware programs are continually evolving, finding ways around the best security protocols. When a data breach happens, patient information at risk, and the cost is astronomical in investigation and recovery.  

Data hacks also put patient’s health in direct jeopardy as well. Cyberattacks have resulted in immediate lockdown of patient records and facility communication. There have been many cases worldwide in which emergency ambulance traffic had to be re-routed to an unaffected facility, which means more time until treatment. It is not uncommon for the effected hospital or health system to have to shut down and resort, at best, to paper charting in the event of a cyberattack. Depending on the method and extent of the cyberattack, a facility can be shut down for weeks. 

With the increase of cyberattacks, the cost to the impacted facility has been well documented. What hasn’t been well documented is the regional health care disruptions in hospitals adjacent to health care systems under a cyberattack. Researchers from the University of California recently reviewed metrics from unaffected emergency departments (EDs) related to San Diego County health systems that had been under a cyberattack.  

The researchers compared patient volume in the 4 weeks prior to the cyberattack on May 1, 2021 through the recovery period 4 week after the attack through June 25,2021. Researchers reviewed encounter volumes, temporal throughput, regional diversion of emergency medical services (EMS), and stroke care metrics. The study evaluated a total of 19,857 ED visits. 

The researchers noted that in the greater San Diego county area, there was a 74.1 percent increase in the average total daily ED diversion time for ambulances. In the time period prior to the attack, the San Diego County EMS reported an average of 27 cumulative hours of diversion per day. In the midst of the cyberattack, the number of diversion hours increased to 47. During the recovery time period, the number of cumulative diversion hours per day dropped to 31. 

The researchers found that when comparing the pre-attack period to the attack period, there was an associated 15.1 percent increase in average ED volume, a 35.2 percent increase in ambulance arrivals, and a 6.7 percent increase in admissions. Additionally, there was a 127.8 percent increase in visits where patients left without being seen, and a 50.4 percent increase in cases where the patients left against medical advice. 

The researchers noted a 47.6 percent increase in average waiting room times, as well as a 33.9 percent increase in average length of stay for admitted patients. Additionally, there was a 5.9 percent increase in the average length of stay for discharged patients. 

There was a significant increase of 74.6 percent in the number of stroke code activations, going from 59 in the pre-attack phase to 103 during the attack phase, and back to 65 in the recovery phase. What is interesting is that there was a significant increase in the number of confirmed strokes diagnosed, going from 22 during the pre-attack phase to 47 during the attack phase. During the recovery period, the number of confirmed strokes dropped to 28.

During the recovery time period, EMS arrivals, patients who left against medical advice, and ED stroke code activations and confirmed strokes returned to the pre-attack rates. 

Overall, the researchers found the impact of a cyberattack on an unaffected facility was significant. They believe the findings suggested that targeted hospital cyberattacks may be associated with disruptions of health care delivery at non-targeted hospitals, and should be considered a regional disaster due to the increases in metrics. They believe that healthcare facilities and hospitals could benefit from coordinated planning and response efforts.

Share This Article: