Ransomware Attacks Pose Unique Danger to ED Patients
For EDs, ransomware attacks pose concerning patient safety and liability risks. “There aren’t rare events anymore,” says Eric Perakslis, PhD, chief science and digital officer at the Duke Clinical Research Institute.
Experts agree EDs should assume they will be attacked at some point. “Preparing for the attack will give the ED a better chance to recover quickly,” says Linn F. Freedman, JD, CIPP/US, a partner at Providence, RI-based Robinson & Cole where she serves as chair of its data privacy and cybersecurity team.
How staff react to the ransomware attack is crucial. “Not knowing what’s going on in a ransomware attack can be very confusing. People have to make quick decisions about what they can do,” Perakslis says.
Ransomware often is accompanied by other simultaneous attacks. Multiple attacks could be made by the same entity or by others aware the hospital systems are now vulnerable. “Any given attack could be one dimension of a multidimensional attack,” Perakslis notes. “This has happened in several hospital attacks.”
For example, a department might be hit by a ransomware attack, and staff immediately receive phishing emails claiming to be a patch for the attack. In a panic, staff start opening these messages. “Next thing you know, all the well-meaning people are now circulating viruses throughout the whole system,” Perakslis says.
If an attack is happening, is it not always apparent which systems are affected. In the moment, staff should start by identifying what seems to be working right and what is not. It all depends on how the attack originated.
Certain outlets in the ED include emergency power and are on a generator in case of power outages or natural disasters. “If the lights go off, everybody knows you can plug into the red outlet to get power. Likewise, people should have a sense of which systems are likely to be more protected than others if systems are compromised,” Perakslis says.
If there are multiple networks in a hospital and one goes down, the other networks should be OK. EDs can best prepare for a ransomware attack by practicing “basic hygiene in IT,” as Perakslis describes it. “The more redundant your systems are, the less vulnerable you are,” he adds.
When an attack happens, leaders will have to decide whether the ED can continue to care for patients. Can patients be transferred to another area on the campus? Will patients need to be moved to a facility across town? Should everybody keep working as usual? A ransomware attack does not necessarily mean the ED has to go on diversion.
“Every ED is a little bit different,” Perakslis observes. “What if you were stopped from getting into the EHR? Does that mean you have to close your ED?”
If an ED has to divert patients because of ransomware, the liability implications would be no different than any other circumstance resulting in diversion. “Claimants would have to show facts that prove legal elements of their claims. These include whether the ED was negligent in causing any harm or damages to the claimant, whether the ED took appropriate preventive measures to prevent the attack, and how the ED responded to the attack,” Freedman explains.
Scheduling and other parts of the EHR might be prime targets for ransomware, but medical devices might be affected, too, notes Melissa L. Markey, JD, CISSP, co-leader of the Hall Render life sciences team in Denver.
For example, the WannaCry ransomware attack in 2017 locked certain devices that monitored contrast agents used in medical imaging. Other bad actors might target infusion pumps, which can put lives in immediate danger. Elsewhere, automated medication dispensing machines might malfunction or start providing unreliable data.
Typically, EDs react to a ransomware attack by taking vulnerable devices offline. “This is a protective action. But it has the effect of decreasing the data that is available to care for patients,” Markey says.
If imaging is taken off the hospital’s network, it remains possible to obtain a CT scan, but the scan is read from a single dedicated monitor instead of radiologists connected to the network. Still, even though providers might be able to see a test somewhere, results can be delayed.
Organized criminal groups behind ransomware attacks see the potential to make big money because of the healthcare industry’s reliance on networked systems, says Rob D’Ovidio, PhD, associate professor of criminology and justice studies at Drexel University. “But they also recognize that the potential harm and loss of life to patients means increased scrutiny by the law enforcement community when compared to criminals launching ransomware attacks where losses are limited to money paid out by victims to bring networks back online,” D’Ovidio says.
Solid business continuity plans make it possible for EDs to continue patient care if networks are shut down. “The potential to cause harm to patients is only going to increase as more medical devices are connected to networks,” D’Ovidio warns. “In the case of networks in EDs, restoring your network can literally be the difference between life and death.”
Harm also can result when computing devices supporting administrative tasks are taken offline, as EDs increasingly rely on network communications to monitor vital signs, administer medications, and aid clinical decision-making. “This reliance on computers has the potential to be disastrous if the devices are taken offline without notice,” D’Ovidio says.
One important way EDs can mitigate risks is by reducing vulnerability of internet-connected systems. “We should be smarter about what we connect to the internet and make vulnerable in the first place,” Perakslis argues.
The ability to run medical equipment offline is important. “In lower-resource settings, it is better to stay lower tech, as a general rule,” Perakslis suggests. “If an ED is heavily networked, it should have critical redundancies. If those redundancies are not possible, the systems approach should be lower tech.”
Intent is an important distinction. Are bad actors looking for money, seeking to inflict reputational harm, or trying to intentionally disrupt care? “I do think that medicine needs to consider setting the default switch to the internet to ‘off,’” Perakslis says. “Just because we are getting all these great devices connected to the internet doesn’t mean we should.”
If an ED is attacked, it will take time to migrate to backup systems. “The time it takes to become operational will usually take much longer than if the ED lost electricity and had to get a backup generator working,” Freedman notes.
Administrators also should prepare for attacks that could involve third parties the facility relies on to function. EDs should be practicing responses to this scenario. “Ransomware gangs are using a ‘one-stop-shopping’ approach for maximum disruption, which leads to an increased chance of getting an organization to pay the ransom,” Freedman says.
Ransomware attacks can inflict long-term damage. The authors of one study suggested hospitals that sustained cybersecurity events experienced safety problems for up to two years following a breach.1 “ED patients, particularly those who are presenting with critical illnesses, are at risk of less optimal outcomes due to delays in care ... and possible lack of access to some advanced technologies,” Markey notes.
To stay ahead of this risk, leaders can create packets with all documents needed to convert to non-digital care on short notice. Staff can switch to manual processes for ordering labs and imaging, following care protocols, and calculating drug dosages.
“Integrate ransomware response training with emergency preparedness training, or have a separate training that focuses on operating the ED without all the electronics,” Markey suggests.
REFERENCE
- Choi SJ, Johnson ME, Lehmann CU. Data breach remediation efforts and their implications for hospital quality. Health Serv Res 2019;54:971-980.
Integrate ransomware response training with emergency preparedness training. To stay ahead of this risk, leaders can create packets with all documents needed to convert to non-digital care on short notice. Staff can switch to manual processes for ordering labs and imaging, following care protocols, and calculating drug dosages.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.