Ransomware attacks really increase mortality rates at hospitals

It’s sometimes claimed that blaming the deaths of hospital patients on ransomware attacks is somewhat ridiculous. But it’s not. A whitepaper found evidence to suggest that mortality rates typically increase by around 20%.

The study, published by academics from the University of Minnesota’s medical school, analyzed the aftermath of ransomware attacks on hospitals in the United States, looking at hospital admissions before, during, and after a ransomware attack, and reported patient deaths.

According to researchers, the most affected category were patients who were already hospitalized at the time of the ransomware attack, compared to patients who were admitted after.

That’s because the hospital staff could adjust procedures to take into account unavailable IT systems.

Nevertheless, the paper says that mortality rates were even higher for patients at hospitals experiencing the most severe ransomware attacks (mortality rate increase of 36-55%) and for patients of color (increase of 62-73%).

“In normal times, roughly 3 in 100 hospitalized Medicare patients will die in hospital. During a ransomware attack, that number goes up to 4 out of 100. From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients,” the researchers said.

They add that the numbers would likely be higher if another team analyzed data from patients with other types of health insurance coverage, and not just Medicare.

In an accompanying article, researchers have called healthcare “a hacker’s playground.” Cybercriminals target the industry for a few reasons.

“Firstly, it’s a maze of electronic systems – many of which are essential to providing care. This includes electronic health records (EHRs), imaging machines, scheduling and communication software, electronic monitoring equipment, telehealth platforms, and so many others,” they wrote in the healthcare news outlet STAT.

“Secondly, many users of these electronic systems are distracted, and thus are susceptible to hackers’ infiltration techniques.”

On the other hand, the consequences of a cyberattack are not extraordinary – they’re similar to other types of incidents such as natural disasters and pandemics. They all impact hospital productivity and time of response, delivering degraded care that increases mortality rates for patients who would have normally survived, researchers say.