Scripps ransomware post-mortem reveals significant ripple effects for nearby hospitals

Hospital ransomware attacks can have significant ripple effects for adjacent emergency departments, a new study published in JAMA found.

The research took a deep dive into the Scripps Health ransomware attack and the impact on surrounding San Diego-based healthcare facilities.

During the observed attack and post-attack phases, EDs adjacent to the breached hospitals saw a significant increase in patient numbers, wait times, patients leaving without being seen and acute stroke care metrics. The study suggested that cyberattacks against healthcare facilities should be “treated as disasters, necessitating coordinated planning and response efforts.”

“Although cyber attacks on healthcare delivery organizations continue to increase in frequency and the financial and operational effects of such incidents are documented, the literature is largely bereft of data demonstrating an adverse effect on patient care workflows or care outcomes,” the report said.

On the evening of May 1, 2021, Scripps Health, with its five acute care hospitals, 1,300 inpatient beds and 19 outpatient facilities, was hit with a ransomware attack. Electronic health records and imaging and telemedicine systems were encrypted, forcing clinicians to revert to manual processes. For a month, operational disruptions lingered. A total of 150,000 patient records were compromised.

To evaluate the ripple effects, researchers assessed adult and pediatric patient volume along with stroke care metrics at two EDs adjacent to Scripps. Metrics were taken four weeks before and after the attack. Surrounding facilities saw an increase in ambulance arrivals and patient length of stay while the entire county experienced emergency medical diversion.

ED waiting room times increased by a third in the surrounding facilities while wait times for admitted patients increased by a fourth. While the report did show an increase in stroke code alerts, stroke diagnoses and acute treatments during the cyberattack and recovery, the increase was not correlated with longer wait times for treatment.

“Acute stroke care is an example of a time-sensitive, resource-intensive, technologically dependent and potentially lifesaving set of complex actions and decisions requiring a readily available multidisciplinary team working in close coordination,” the report said. “There was no significant difference in door-to-CT scan or acute stroke treatment times. Indirect impediments to care have been associated with patient outcomes in the setting of other time-sensitive conditions, including acute myocardial infarction or cardiac arrest. It may be reasonable to consider the impact of cybersecurity disruption within such an outcomes-oriented context.”

The report suggested that more research should look into the financial costs of surrounding facilities following a ransomware attack against a medical facility. Proof of care being affected, the authors wrote, indicates a need for coordinated regional surge planning “similar to that conducted for natural disasters.”

Regional partners could coordinate proactive plans and drills for cybersecurity attacks, the report suggested. Partnerships could also allow for real-time information sharing of threats. More detailed plans for specific patient populations most at risk, including those experiencing trauma, stroke or myocardial infarction, should be prioritized.

Authors zoomed out further to argue that operational resiliency across all healthcare systems should be a “high national priority.” Despite the acute need, there is a paucity of studies assessing the associations of cyberattack risks with patient safety, the report said. “Further study on the association of cyber attacks with patient safety and quality of care is needed, although significant barriers to data collection and reporting remain given the reliance on affected electronic adverse event monitoring systems and healthcare delivery organizations’ legal liability concerns.”

Soon after the attack, Scripps reported that the breach cost the health system $112.7 million, with lost revenue being the main culprit. Insurance recovery was predicted to return $14.1 million of the organization’s losses.

Following the attack, Scripps faced several class-action lawsuits from patients who claimed that the system did not do enough to protect their medical data. In January of this year, Scripps agreed to pay the 1.2 million people plaintiffs $3.57 million.