As hackers increasingly turn their attention toward medical facilities as targets of cyberattacks, the risks extend beyond hospital finances — when patient services are suspended, they could even lead to death.
Dr. Benoit Desjardins, Ph.D., professor of radiology at the Hospital of the University of Pennsylvania, addressed this grim possibility during an RSNA 2021 session titled Cybersecurity for Radiology Practices.
Desjardins, who is also an expert in information technology, referenced a New England Journal of Medicine study on the impact on mortality when healthcare is delayed even by minutes. Delayed care — for example, for cancer and stroke patients — is a hallmark result of cyberattacks when hospitals sometimes must close for weeks, forcing the transfer of critical patients. He also cited a recent government COVID-era study specifically on the effect of cyberattacks on outcomes. The researchers found that in hospitals that experienced a cyberattack, statistically more significant “excess" deaths occurred earlier and lasted longer.
He also referred to a 2019 incident involving a ransomware attack at an Alabama hospital that disabled the facility's central monitoring system. This resulted in a woman in labor losing her baby. The attending OB/GYN was not aware that the facility had undergone a cyberattack. The physician could not observe that the infant was in distress due to the umbilical cord wrapped around the baby’s neck. The mother is now suing the hospital for its failure to prevent the ransomware attack.
Medical devices, such as infusion pumps, are also at risk of cyberattacks.
"Through our overdependence on undependable IT, we have created conditions such that actions by any single outlier can have a profound and asymmetrical impact on human life [and] economic and national security,” said Joshua Corman in his capacity as a consultant in the cybersecurity of medical devices.
Corman spoke of a cybermed summit he organized in 2017. A team of mock hackers, including two medical school graduates, hijacked medical devices standard in hospitals. The devices included defibrillators, infusion pumps, and insulin pumps. These "good-guy hackers" were able to easily change the settings in the devices to deliver lethal doses of medicine and electric shock to patients.
A third speaker presented steps radiology practices can take to minimize the threat of cyberattack. Erik Decker, chief information security officer for Intermountain Healthcare, speculated that most of the practice radiologists in attendance likely did not have dedicated IT or cyber security staff. “Cybersafety is a patient safety problem. You look at this insurmountable challenge and think, "how am I supposed to defend against this?” he asked.
