When Hospital Cyberattacks Compromise Care, Not Just Data


When hospitals are hit by cyberattacks that compromise crucial technology systems for managing patient care, the stakes are staggering.

“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California at San Diego.

Many hospitals are unprepared for long outages, cybersecurity experts say. And the federal government has offered little in the way of required protocols or standards to protect patient safety in attacks on the health sector, which have risen precipitously in recent years.

Long-held concerns about protecting patients’ sensitive health information have been overtaken by fears of harm to patients themselves. Kate Wells and I dug into one of the latest and biggest examples for the news organization Michigan Public and KFF Health News: the ransomware attack against Ascension that for weeks locked clinicians out of electronic health records, medication systems and other technology at one of the nation’s largest health systems.

The federal government requires hospitals to protect patient data, according to cybersecurity experts. Yet there are no requirements for hospitals to have basic cybersecurity protocols in place, which could include things like multifactor authentication, email controls and basic cybersecurity training for employees. The Biden administration, however, has indicated it will soon attempt to institute some mandatory measures.

When Denise Anderson, president of the Health Information Sharing and Analysis Center, began working in the health sector, federal officials were focused mostly on data privacy and the Health Insurance Portability and Accountability Act (HIPAA), the landmark 1996 patient privacy law.

“We weren’t pairing cybersecurity and health care in the same sentence,” said Anderson, whose organization works to protect the health sector from physical and cyberthreats.

Lawmakers have taken notice. “It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” Sen. Ron Wyden (D-Ore.) wrote in a June 5 letter to Health and Human Services Secretary Xavier Becerra.

Clinicians working for Ascension hospitals say the cyberattack led to harrowing lapses, including delayed or lost lab results, medication errors and an absence of routine safety checks via technology to prevent potentially fatal mistakes. More than a dozen doctors and nurses who work for the sprawling health system told Michigan Public and KFF Health News that patient care at its hospitals was compromised in the fallout of the cyberattack.

Ascension declined to answer questions about claims that care has been affected by the ransomware attack. “We are confident that our care providers in our hospitals and facilities continue to provide quality medical care,” Sean Fitzpatrick, Ascension’s vice president of external communications, said last month.


This article is not available for syndication due to republishing restrictions. If you have questions about the availability of this or other content for republication, please contact [email protected].


Comments are closed.