A cyberattack on one hospital can disrupt an entire network of medical providers
MARY LOUISE KELLY, HOST:
Cyberattacks, those carried out using ransomware in particular, have claimed victims in every sector of U.S. society and cost millions of dollars. The consequences of these attacks can spread far beyond a single target. New research explores what happens to an entire network of medical providers when just one hospital is hit with a cyberattack. NPR cybersecurity correspondent Jenna McLaughlin reports.
JENNA MCLAUGHLIN, BYLINE: In the spring of 2021, the University of California San Diego Medical Center was suddenly flooded with patients.
CHRIS LONGHURST: We lived through it, right? So we saw the sheer numbers on a daily basis.
MCLAUGHIN: Chief Medical Officer Dr. Chris Longhurst still remembers it. There wasn't a huge accident nearby or a sudden deluge of COVID patients. It was something else. Down the street just a half-mile or so, Scripps Mercy Hospital of San Diego had been hit by a massive ransomware attack.
LONGHURST: We were bringing them back-up staff.
MCLAUGHIN: As a result, patients got diverted to places like UC San Diego.
LONGHURST: Like, our wait times had, you know, gone haywire. It was like the whole system suddenly was overloaded, right? So we felt it.
MCLAUGHIN: The attack had a blast radius. In conversations, experts kept using that term, one that's normally reserved for bombs, but it fits. Scripps struggled to get back online for the next month. It was all over national and local news.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED REPORTER: A major cyberattack targeting Scripps Health over the weekend is continuing to disrupt patient access and care.
MCLAUGHIN: Longhurst and his co-authors looked at a time period of four weeks before and after the attack. They noted a big increase in emergency room arrivals - over 600 additional people. Plus, there were more than double the amount of strokes, a dangerous condition where blood supply to the brain is temporarily cut off. Without quick medical attention, patients might suffer speech impairments, physical disabilities or death. When it comes to impact, it's unfortunately one example of many. Cyberattacks against hospitals have even been linked to a handful of deaths. For example, one Alabama family sued the hospital where their baby was born and later died during a ransomware attack in 2019. Those examples are heart-wrenching, but anecdotes haven't always led to policy change or a massive increase in cybersecurity spending. That's where the cold, hard data comes in. During an interview, Longhurst brought up a series of charts to show me.
LONGHURST: We got some data from the county that was published in this paper. I'll put it up on the screen here. You can see figure 2 - the cumulative San Diego County EMS diversion hours, meaning how many hours were emergency departments on diversion where they were unable to take trauma patients and stroke patients because their scanners weren't working, and their doctors couldn't access the right information, right? And you can see it's significant.
MCLAUGHIN: Longhurst isn't just the chief medical officer. He's also the chief digital officer at UC San Diego. He and his team wanted to put actual numbers behind what they experienced that spring. Here's Jeff Tully, his co-author. He's both an anesthesiologist and a cybersecurity researcher.
JEFF TULLY: And so in some ways, what we're looking for are the ripples in the pond after the stone falls.
MCLAUGHIN: Dr. Tully said it can be really tough to get data on the actual victim of the attack, for technical reasons and because victims are still fearful to come forward. Scripps agreed in January to pay 3.5 million to victims whose private data was stolen during the 2021 breach. It takes a long time to recover, to rebuild a reputation and IT infrastructure. But with ransomware against health care on the rise, Scripps is hardly the only victim.
ALLAN LISKA: In the month of April, there were 31 attacks against health care providers around the world, so basically more than one a day.
MCLAUGHIN: That's Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future.
LISKA: We're still relatively early in the year, so, you know, I don't want to predict trends for the year, but it is disturbing to see that there does appear to be at least an increase over 2022 for now.
MCLAUGHIN: He says that might be because hackers are no longer working with established ransomware gangs as much anymore. They're going off on their own, stealing rather than paying for malware. The gloves are off.
LISKA: So, you know, it's essentially five guys that sit around and drink vodka all day and do ransomware.
MCLAUGHIN: Health care cybersecurity evangelists Josh Corman and Beau Woods have been fighting those hackers for decades. Here's Corman.
JOSHUA CORMAN: I've always been concerned about the relationship between technology and the human condition. I always thought this was going to be consequential.
MCLAUGHIN: And Beau Woods - he started out working IT at a hospital.
BEAU WOODS: One day very early on, I got a call from our natal intensive care unit, and their fetal heart monitors were down.
MCLAUGHIN: Turns out those heart monitors were caught in the crossfire, infected by a malicious digital worm that was meant to steal banking passwords. Woods wrestled for months with the company, the FDA and his colleagues to patch those devices. Then he met Corman at a hacker conference in Vegas. They've been working together ever since, all the way up to the federal government at DHS. A big area of focus is how everything is connected. Jeff Tully in San Diego sees it, too.
TULLY: We need to start understanding that as a health system, as critical national infrastructure, you know, we're all in this together, and we're really only as strong as our weakest links.
MCLAUGHIN: Regional hubs for health care cybersecurity could be a good step towards bouncing back during a digital crisis, and patients need to be at the forefront, says Andrea Downing. Downing is a breast cancer advocate and technical expert. She founded the Light Collective, a group that advocates for secure technology that meets patients' needs.
ANDREA DOWNING: What our patient community's concern is, is if we have an emergency or an acute event and we have to get into the ER, time can really equal lives.
MCLAUGHIN: That's what's really at stake when hackers attack hospitals - lives. Jenna McLaughlin, NPR News.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.