Cyberattacks Increase Mortality Rates, But Healthcare Is In Denial

January 13, 2022 - Joshua Corman, chief strategist of the Cybersecurity and Infrastructure Security Agency’s (CISA) COVID task force, urged the healthcare sector to come to terms with the harsh realities of healthcare cyberattacks at a recent WEDI Spotlight conference about privacy and security in healthcare.

“In the last 12 to 18 months, we've had successful electronic attacks of the water we drink, the food we put on our table, and the oil and gas that fuels our cars and our homes. The timely availability of patient care, the schools our children go to, the municipalities who run our towns and our cities, and even federal agencies have been the victims of state-sponsored and criminal attacks,” Corman said during his presentation.

“Things are on fire, and we're going to need a resilient workforce to deal with these shocks on all fronts.”

Corman cited data from an October CISA report that outlined the strains of COVID-19 on the nation’s critical infrastructure, particularly the healthcare sector’s ability to provide quality care. Data showed that as ICU beds filled, excess deaths increased.

“The strains on public health to provide medical care are leading to sickness, a loss of the workforce as we succumb to sickness, death, an injury that takes us out of the workplace, loss of our family support structure, Burnout, and retirement,” Corman reasoned.

READ MORE: MD Department of Health Systems Down 1 Month After Ransomware Attack

“Not only are these, with each wave of the pandemic, eroding our strategic workforce and our ability to handle the next wave, but they are also beset on all sides by supply chain shocks, by cyber disruptions by workforce erosions, and by waning stamina from the public, from local officials, and even federal agencies.”

The report also found a direct correlation between cyberattacks and increased mortality, showing that cyber threats can have lasting effects on health systems on top of the strain of the pandemic.

Cyberattacks are known to impede EHR access, cause ambulance diversions, and delay the processing of test results, among other hurdles. CISA researchers found that hospitals that experienced cyber events were also more likely to experience hospital strain (measured by ICU bed utilization), worse health outcomes, and increased mortality.

“We can see across a five-month observation period that hospitals hit by ransoms both achieved these dangerous ICU strain levels sooner and stayed there longer,” Corman noted.

When it comes to time-sensitive medical emergencies such as heart attacks and strokes, every minute counts. When hospitals experience EHR downtime and ambulance diversions as a result of a cyberattack, patients may not be able to get the care they need when they need it.

READ MORE: Critical, “Wormable” Microsoft Vulnerability Could Lead to Cyberattacks

“We have been so afraid to admit that cyberattacks and IT failures can impact patient care and patient safety, that if we continue to be in denial mode, we will go back to business as usual,” Corman emphasized.

Change must start within every organization, but many are unequipped to handle a cyberattack without disruption. Corman cited 2017 CISA data which found that 85 percent of hospitals lack a qualified security professional. He also predicted that that percentage may be even higher at this point, considering the multitude of mergers and acquisitions, along with layoffs.

At the very least, Corman urged healthcare organizations to avoid hard-coded maintenance passwords, unsupported software reachable by the internet, and single-factor remote administration tools. CISA’s list of “bad practices” outlines poor cyber hygiene practices that all organizations should avoid. Healthcare organizations can also refer to CISA’s “Cyber Essentials Starter Kit” for free and actionable cybersecurity tips.

“It's going to be it's going to be rough for some time,” Corman admitted.

“I am an optimist and a passionate change agent, so I wouldn't care if I didn't believe that these things could get better. But it is often darkest before the dawn, and it is pretty dark right now.”

READ MORE: FBI, CISA, NSA Warn of Russian Cyber Threats to Critical Infrastructure

On the bright side, Corman noted that the pandemic’s strain on hospitals and the increase in cyberattacks has given the healthcare sector a clearer picture of where the industry is now and where it needs to be.

“The silver lining here is sometimes you have to hit rock bottom. If we’re still talking about this as fines or records and not as human life and adverse patient outcomes, then we won’t bring the right tools to fix this,” Corman concluded.

“I think it starts with admitting we have a problem.”