Cyberattacks on hospitals are growing threats to patient safety, experts say
The number of attacks on U.S. hospitals each year doubled between 2016 and 2021.
BURLINGTON, Vt. -- Jes Kraus was supposed to be going to the University of Vermont Medical Center every day for aggressive radiation and chemotherapy treatments to fight stage three colorectal cancer, for which he was diagnosed in September 2020.
But at the end of October 2022, the hospital called to tell him not to come in for his appointments until further notice. The medical center had just been hit by a cyberattack, which infected computer systems across the state and locked out health care workers from his treatment plan and other critical tools.
"Radiation was canceled for a week," Kara Kraus, Jes's wife, told ABC News. "We were afraid. We weren't sure if that would affect the outcome. Again, the tumor, would it start growing back within that week? What was going to happen?"
The Kraus family's experience is an increasingly common one, research shows. Hospitals have become a top target for ransomware gangs, which take control of vulnerable online networks and demand a ransom to unlock them, severely disrupting patient care in the process.
The number of attacks on U.S. hospitals each year doubled between 2016 and 2021, from 43 to 91, according to research published in the Journal of the American Medical Association.
Last year saw an even greater number of incidents, the American Hospital Association said.
Health care systems are often underprepared to stop these attacks, cybersecurity experts said, even though research shows they come with very real health risks for patients.
"These are direct threats to patient safety," John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told ABC News.
When ransomware attacks hit hospitals, internet-based tools critical to patient care, which can include patient health records, imaging and lab results, communication links with other departments and hospitals and more, are suddenly frozen.
When UVM Medical Center's computers went down, the impact on patient care was "significant," hospital President and COO Dr. Stephen Leffler, who was seeing patients as electronic communications went down, said.
"When the laboratory had a critical lab result on someone, they couldn't put it in the electronic medical record," he told ABC News. "They couldn't call the floor. And so we literally had our administrators start going in the lab, standing there and running a paper result to the floors."
"Everything that we do and rely on was down," he said. "We actually sent some staff to Best Buy to buy Walkie Talkies!"
The attack disrupted UVM systems for 28 days, costing more than $50 million in damage.
For years, discussion of cyberattacks at hospitals has focused on threats to privacy. Hacks could expose personal information about patients and subject hospitals to fines under the Health Insurance Portability and Accountability Act, or HIPAA. But experts now say privacy concerns are increasingly overshadowed by potential harm to patients when a medical facility is forced to delay treatments and divert ambulances.
"This is not just a patient privacy issue," Josh Corman, a leading expert on cybersecurity and health care, told ABC News. "This is a patient safety issue."
Using data from the state of Vermont during the UVM ransomware attack, Corman and colleagues found that hospitals experiencing a ransomware attack hit a stress level linked to more patient deaths. The findings were published by the U.S. Cybersecurity and Infrastructure Security Agency.
And cyberattacks don't just affect an individual hospital hit with the ransomware.
Newly published research in the journal JAMA Network Open documents a ripple effect that can impact health care and the patient experience across an entire region.
The study looked at fallout from a single ransomware attack on a single San Diego hospital in 2021. It found that emergency rooms at adjacent hospitals had more ambulances arrive and saw more patients than normal, and had longer wait times for all patients seeking care. The number of situations where a patient left without being seen by a doctor rose by 127%.
"Patients don't stop getting sick just because a hospital is hit by a ransomware attack," Dr. Christian Dameff, lead author on the study and emergency physician at the University of California, San Diego, told ABC News. "They have to go somewhere. So what this research shows is that those patients go to neighboring hospitals that can be overwhelmed."
Dameff calls it the blast radius. "It truly affects the entire community," he said.
The U.S. Department of Health and Human Services concluded in an April report that cyberattacks are the single "largest threat" to America's hospitals, deserving "immediate attention" because of the "threat to life."
Most hospitals still aren't adequately prepared to prevent and respond to the threat, experts say. Bigger hospitals generally have the resources to invest in cybersecurity, but smaller ones don't — particularly after the financial strain of the pandemic. Nearly all hospitals surveyed in the HHS report said they use software with "known vulnerabilities;" only half said they had a plan to address those shortcomings.
"We're not yet in a place where we can reliably say the hospital your family depends upon in most of America is, at a minimum, cyber hygiene-level sufficient to fend off preventable attacks," Corman says.
It'll take investment and more federal regulation to fill those gaps, Corman said. There's some movement: the U.S. Food and Drug Administration now requires that medical devices meet cybersecurity standards, and members of Congress are considering introducing legislation that would set mandatory cybersecurity minimums for hospitals.
There also needs to be more cybersecurity and preparedness education for healthcare workers, Dameff said, so that doctors and nurses are prepared for a situation when their networks do go down and they're not able to rely on digital tools.
"It can happen to you – even when you think it's impossible," said Leffler of his message to other hospital administrators.
Raising awareness and encouraging action around health care cybersecurity has been difficult, Dameff said. People in the field worry that talking about it will discourage patients from trusting healthcare institutions, for example, he said.
But more and more leaders in health care are starting to recognize the issue. "These attacks are becoming so frequent and so sophisticated. Hospital defenses aren't nearly up to snuff to prevent these types of things from happening," Dameff said.
Hospitals are, instead, left scrambling when an attack hits. That's what happened with Jes Kraus's care at UVM. Luckily, his oncologist was able to get his radiation treatments moved to another hospital, and his cancer is currently in remission. Still, it was stressful to figure out and coordinate a new way to get care.
"In the grand scheme of things, it's easy to look at it now and say, okay, yeah, it was a week delay [in treatments] and it didn't really impact [my prognosis], but I hope that it's been a lesson learned to hospitals," Kraus said.