Preventing The Worst-Case Scenario for Hospital Ransomware

In the aftermath of the Colonial Pipeline ransomware attack a few months ago, healthcare cybersecurity professionals wondered when their own industry might have to grapple with an attack so devastating that it caused hospitals and clinics to reconsider whether they were effectively protecting their growing infrastructure of connected devices. However, the hospital ransomware hack in question might have predated Colonial Pipeline’s attack, we just didn’t know it yet.

Recent reporting by the Wall Street Journal (paywalled) reveals that a ransomware attack may already have led to a preventable patient death. A lawsuit is making its way through the US court system that alleges an Alabama mother about to give birth unknowingly entered a hospital providing compromised care due to an active ransomware attack. The hospital didn’t inform employees, patients, or regional media about an attack at first, saying instead in response to an inquiry from a local TV news broadcast that it had experienced a “network event” that had “not affected patient care.”

The hospital continued to accept new patients, even though the ransomware attack led to computers in the whole hospital being disabled for over a week, which had a cascading impact on nearly every connected device. Patient records were completely inaccessible, a situation that according to an anesthesiologist “put patient lives at risk.”Wireless employee trackers that assisted with getting employees rapidly to emergency triage situations were down. Radiologists needed to peer into the cramped screens attached to their scanning equipment to analyze X-rays, since the bigger monitors connected to computers were not accessible.

Tasks that were previously automated thanks to the plethora of connected medical devices, such as recording vital signs, were suddenly arduous and unfamiliar, particularly for less experienced nursing staff who had never worked in any capacity without modern technology. Experienced staffers needed to tutor their younger colleagues on paper charting, including hand-drawing graphs showing patients’ vital signs, so that patient care could still be provided.

Worst of all, because of the ransomware attack, nurses were unable to view the information coming from fetal heartbeat and oxygen monitors in the delivery rooms, since they usually viewed this information at a glance on a large screen at the nurses’ station for all the babies. Staff put patients in the rooms closest to the nurses’ station and turned up the volume on their bedside fetal heart monitors so they could better hear any alarms. However, one baby’s heart rate fell due to her umbilical cord getting wrapped around her neck and cutting off her blood and oxygen supply.Tragically, this led to severe brain damage that contributed to the baby’s death nine months later. A text message conversation by the obstetrician to the nurse manager submitted in court filings said that she would have delivered the baby via C-section had she been able to see the heart monitor’s readout about the heart rate slowing down.

There’s No Turning Back the Clock on Connected Healthcare

The Alabama ransomware case makes clear that there is no divorcing digital safety from patient safety; they are intertwined permanently going forward. Newer healthcare employees who have never known a world before the internet are at a loss when connected medical devices go down. The more experienced and quickly shrinking field of employees who remember the before times must develop a whole new set of outdated and most likely insecure protocols on the fly just to do their jobs. Reverting to paper and pen methods of healthcare is a suboptimal practice that puts patient lives and long term health at risk.
‍
It is estimated that more than two-thirds of medical devices will be connected to the internet by 2025. The IoT footprint in our hospitals is clearly here to stay, and patients have seen enormous improvements thanks to the data, insight, and timeliness that these devices bring to hospital care. However, these devices were often not designed with security as a primary driver, and in fact a recent Ponemon Institute study determined that more than 20% of healthcare ransomware attacks started with a hacker who gained a foothold on a connected device.
‍
Unfortunately, most IT security solutions offer little visibility into or protection for connected device vulnerabilities or risks, leaving a giant hole that ransomware and other attackers are only too happy to exploit. Connected IoT devices also contain vast amounts of electronic personal health data that needs to be safeguarded and results in fines, audits, and bad headlines when a breach occurs. Even more pressing, these connected devices are often what alert healthcare professionals to sudden fluctuations in patient health, or keep patients alive. Without insight into the critical risks that attackers could exploit to manipulate the functionality of these devices, hospitals are left with a security blind spot that might have a critical impact on patient health.

It is difficult to determine whether any particular death was principally due to a delay in needed care, a sudden shift to analog procedures, or an underlying medical condition. It is probably impossible to definitively prove whether a cyberattack has the greatest responsibility for a death. But considering that there were 92 ransomware attacks at over 600 clinics in 2020 alone, it was probably a contributing factor in many other patient deaths, even if it can’t be conclusively linked as the only or primary cause in any single instance. In a notorious German case from last year, a patient had to be diverted to another hospital when the healthcare facility closest to her was shut down by a ransomware attack. Local police later said that the ransomware was not directly responsible for the patient’s death, as the patient was already very sick. But it certainly didn’t help.
‍
Hospitals need to take a closer look at the often neglected ransomware risks presented by IoT devices and proactively take steps to protect patient care, service availability and data security. As the tragic case in Alabama makes clear, ransomware has already obstructed a hospital from ensuring optimal health and patient care. Ultimately this case should be a wake-up call for the industry to confront the ransomware threat introduced by connected devices head on.