Hospital ransomware attacks spike volumes at nearby EDs, study finds

A new review of California patient volumes is the latest warning that hospital ransomware attacks have consequences that extend to other providers in their surrounding community.

Published Wednesday in JAMA, the research from William Paterson University and RAND researchers show that cyberattacks lead to reduced admissions and emergency department visits at the compromised hospital.

The volume reductions in both areas start at 8% in the week immediately following and peak at about 16% to 17% during the second week before returning to pre-attack levels within eight weeks of the incident, per the study.

Meanwhile, they found, emergency departments in nearby unattacked hospitals fielded more visits during the four weeks after an incident, hitting a high of just over 7% three weeks after the event. There were no significant changes among nearby hospitals’ inpatient admissions.

Still, the findings suggest “that the consequences of such attacks are broader than the targeted hospitals,” the researchers wrote in JAMA alongside statistics highlighting an increase in such incidents following the COVID-19 pandemic.  

The study’s sample included eight ransomware attacks across 15 disrupted hospitals between 2014 and 2020. It also compared volumes at 17 unattacked geographically close hospitals to 20 others that were further away but still in the same Hospital Service Area.

Researchers obtained weekly facility-level inpatient admission and emergency department visit data for these facilities from the California Department of Health Care Access and Information, which covers all the state’s licensed hospitals.

The researchers’ warning adds to those stemming from a more focused study of the 2021 outage at Scripps Health. That analysis found significant increases in emergency department visits, wait times and patients leaving without being seen, prompting calls from researchers to treat cyberattacks against healthcare facilities “as disasters, necessitating coordinated planning and response efforts.”

Neither study has looked at differences in specific patient outcomes stemming from a nearby cyberattack.

2024 has already seen a few high-profile ransomware attacks that have disrupted care. Earlier this month the nonprofit giant Ascension locked down access to several of its technology systems and kicked off downtime procedures across 14 states when it detected “unusual activity” within its network. Lurie Children’s Hospital of Chicago, Illinois’ largest pediatric provider, announced it was “no longer addressing an active cybersecurity matter” just last week—three and a half months after an attack brought down phone, email and electronic health record systems.

Recent months have seen Biden administration acknowledging the threat of hospital ransomware attacks signaling its interest in bolstering the hospital industry’s cybersecurity profile. In January it released a collection of voluntary cybersecurity performance goals, the initial steps of a broader plan that could include monetary incentives tied to Medicare.