Abstract
OBJECTIVES:
Healthcare ransomware cyberattacks have been associated with major regional hospital disruptions, but data reporting patient-oriented outcomes in critical conditions such as cardiac arrest (CA) are limited. This study examined the CA incidence and outcomes of untargeted hospitals adjacent to a ransomware-infected healthcare delivery organization (HDO).
DESIGN, SETTING, AND PATIENTS:
This cohort study compared the CA incidence and outcomes of two untargeted academic hospitals adjacent to an HDO under a ransomware cyberattack during the pre-attack (April 3–30, 2021), attack (May 1–28, 2021), and post-attack (May 29, 2021–June 25, 2021) phases.
INTERVENTIONS:
None.
MEASUREMENTS AND MAIN RESULTS:
Emergency department and hospital mean daily census, number of CAs, mean daily CA incidence per 1,000 admissions, return of spontaneous circulation, survival to discharge, and survival with favorable neurologic outcome were measured. The study evaluated 78 total CAs: 44 out-of-hospital CAs (OHCAs) and 34 in-hospital CAs. The number of total CAs increased from the pre-attack to attack phase (21 vs. 38; p = 0.03), followed by a decrease in the post-attack phase (38 vs. 19; p = 0.01). The number of total CAs exceeded the cyberattack month forecast (May 2021: 41 observed vs. 27 forecasted cases; 95% CI, 17.0–37.4). OHCA cases also exceeded the forecast (May 2021: 24 observed vs. 12 forecasted cases; 95% CI, 6.0–18.8). Survival with favorable neurologic outcome rates for all CAs decreased, driven by increases in OHCA mortality: survival with favorable neurologic rates for OHCAs decreased from the pre-attack phase to attack phase (40.0% vs. 4.5%; p = 0.02) followed by an increase in the post-attack phase (4.5% vs. 41.2%; p = 0.01).
CONCLUSIONS:
Untargeted hospitals adjacent to ransomware-infected HDOs may see worse outcomes for patients suffering from OHCA. These findings highlight the critical need for cybersecurity disaster planning and resiliency.
Keywords: cardiac arrest, cardiac arrest, cybersecurity, ransomware, cyberattack, outcomes
KEY POINTS
Question: Are ransomware cyberattacks on healthcare delivery organizations (HDOs) associated with increased cardiac arrest (CA) incidence and adverse outcomes at adjacent untargeted hospitals?
Findings: This cohort study of two untargeted academic hospitals adjacent to an HDO under a month-long ransomware cyberattack evaluated 78 CAs: 21 during pre-attack, 38 during attack, and 19 during post-attack phases. During the attack phase, decreases in survival with favorable neurologic outcome were observed.
Meaning: This study suggests cyberattacks are associated with worse outcomes for patients suffering from out-of-hospital CA at untargeted, adjacent hospitals, highlighting the critical need for cybersecurity disaster planning and regional healthcare systems resiliency.
Ransomware cyberattacks on healthcare delivery organizations (HDOs) are increasing in frequency and sophistication (1). Ransomware is a type of malicious software that can block access to computer systems and networks until a ransom is paid. In a clinical environment dependent on connected technology, ransomware may disrupt patient care workflows (2). On May 1, 2021, a four-hospital HDO was “infected” by a ransomware cyberattack, resulting in the loss of electronic medical records and systems for one month (3). Although the operational effects of ransomware-infected HDOs have been reported, there are limited data regarding how ransomware cyberattacks impact adjacent, untargeted hospitals (4). To our knowledge, Dameff et al (5) was the first study patient outcomes in neighboring, untargeted hospitals and found increases in strokes during the cyberattack month, demonstrating the ripple effects of cybersecurity disruption. In addition to stroke victims, patients with other time-sensitive, resource-intensive conditions including out-of-hospital cardiac arrests (OHCAs) were diverted from the ransomware-infected HDO to other hospitals (6). We hypothesized that this month-long ransomware cyberattack would impact cardiac arrest (CA) prevalence and outcomes at the adjacent, untargeted hospitals.
MATERIAL AND METHODS
The study was approved January 14, 2022, by the University of California San Diego institutional review board (No. 801738 Resuscitation Quality Improvement: A Prospective Collection and Review of University of California San Diego's Advanced Resuscitation Training Resuscitation Events) with waiver of informed consent. Procedures were followed in accordance with the ethical standards of the responsible committee on human experimentation and with the Helsinki Declaration as revised in 2013.
In San Diego county, there are four large HDOs that comprise 75% of the regional inpatient discharges (5, 7). From May 1–28, 2021, one of the large HDOs, which operates four acute care hospitals and accounts for 25% of inpatient discharges, was infected with ransomware (7). This retrospective cohort study compared the CA incidence and outcomes of an adjacent, untargeted HDO, which comprises two academic hospitals and accounts for 11% of inpatient discharges (7), during three phases: pre-attack (April 3–30, 2021), attack (May 1–28, 2021), and post-attack (May 29, 2021, to June 25, 2021). In this study, “adjacent” specifies an HDO that serves the same region and is within proximity (e.g., <1 mile separates each untargeted hospital from an infected HDO hospital).
The adjacent, untargeted HDO’s emergency department (ED) and hospital mean daily census and level of care (e.g., ED inpatient [EDIP], ward, and ICU), number of CAs, mean daily CA incidence per 1000 admissions, return of spontaneous circulation (ROSC), survival to discharge, survival with favorable neurologic outcome, and patient demographics were compared between phases using one-way analysis of variance, Kruskal-Wallis, Mann-Whitney U, t, or chi-square tests as appropriate. An EDIP patient is an admitted patient boarding in the ED awaiting transfer to an inpatient unit. Favorable neurologic outcome was defined by cerebral performance category score 1 or 2 (8).
An autoregressive integrated moving average (ARIMA) model was performed to control for seasonal and secular variations in CAs. ARIMA models use past time series data to predict future values (9). Four years of data before the cyberattack (January 1, 2017, to April 30, 2021) were used to forecast the number of CAs during the attack month (May 2021). The forecasted cases were then compared with the observed cases during the attack month. The number of San Diego county pre-hospital CAs was also compared between phases. Statistical analyses were performed using R-4.1.2 (
R Core Team
,
Vienna,
Austria
). All p values were from two-sided tests, and results were deemed statistically significant at a p value of less than 0.05.
RESULTS
Among all the phases, the CA cases were similar in age, sex, race, and Charlson Comorbidity Indexes (Table 1). The number of total CAs, including OHCAs and in-hospital CAs (IHCAs), increased from the pre-attack to attack phase (21 vs. 38; p = 0.03), followed by a decrease in the post-attack phase (38 vs. 19; p = 0.01) (Table 1). In the ARIMA model, the number of total CAs exceeded the cyberattack month forecast (41 observed vs. 27 forecasted cases; 95% CI, 17.0–37.4) (Fig. 1A). The number of OHCAs also exceeded the forecast (24 observed vs. 12 forecasted cases; 95% CI, 6.0–18.8) (Fig. 1B). The number of IHCAs was within the forecast (95% CI, 4.8-21.8) (Fig. 1C).
TABLE 1.
Emergency Department and Hospital Mean Daily Census, Number of Cardiac Arrests, Mean Daily Cardiac Arrest Incidence per 1,000 Admissions, and Outcomes
| Variables | Phases | p | |||||
|---|---|---|---|---|---|---|---|
| Pre-Attack | Attack | Post-Attack | Overall | Pre-Attack vs. Attack | Attack vs. Post-Attack | Pre- vs. Post-Attack | |
| Age, yr, mean (sd) | 64 (15) | 62 (16) | 55 (20) | 0.44 | |||
| Sex, male, n (%) | 12 (57.1) | 29 (76.3) | 13 (68.4) | 0.31 | |||
| Race, n (%) | |||||||
| White | 13 (61.9) | 27 (71.2) | 17 (89.5) | 0.14 | |||
| Black | 4 (19.0) | 5 (13.2) | 0 (0) | 0.16 | |||
| Asian | 1 (4.8) | 1 (2.6) | 1 (5.3) | 1 | |||
| Mixed | 2 (10.0) | 0 (0) | 0 (0) | 0.13 | |||
| Unknown | 1 (4.8) | 5 (13.2) | 1 (5.3) | 0.59 | |||
| Charlson Comorbidity Index, mean (sd) | 4.3 (3.2) | 3.6 (3.5) | 2.9 (2.9) | 0.38 | |||
| Initial arrest rhythm, n (%) | |||||||
| Ventricular fibrillation/ventricular tachycardia | 7 (33.3) | 8 (21.1) | 9 (47.4) | 0.12 | |||
| Pulseless electric activity/asystole | 14 (66.7) | 30 (78.9) | 10 (52.6) | 0.12 | |||
| Arrest etiology, n (%)a | |||||||
| Circulatory | 3 (14.3) | 8 (21.2) | 2 (10.5) | 0.68 | |||
| Respiratory | 3 (14.3) | 13 (34.2) | 3 (15.8) | 0.18 | |||
| Dysrhythmia | 7 (33.3) | 8 (21.1) | 9 (47.4) | 0.12 | |||
| Emergency department daily census, mean (sd) | 218.4 (18.9) | 251.4 (35.2) | 239.4 (21.3) | < 0.001 | < 0.001 | 0.13 | < 0.001 |
| Hospital daily census, mean (sd) | 614.5 (29.7) | 637.4 (33.7) | 622.9 (30.4) | 0.02 | < 0.01 | 0.07 | 0.24 |
| Emergency department inpatient, mean (sd) | 14.5 (7.8) | 25 (11.5) | 18.8 (11.5) | 0.008 | < 0.001 | 0.05 | 0.20 |
| Ward, mean (sd) | 491.8 (19.3) | 506.1 (16.8) | 496.8 (18.3) | 0.02 | 0.004 | 0.05 | 0.32 |
| ICU, mean (sd) | 66.5 (6.0) | 77.4 (6.5) | 68.2 (5.1) | < 0.001 | < 0.001 | < 0.001 | 0.26 |
| Cardiac arrests, n (%) | 21 | 38 | 19 | 0.02 | 0.03 | 0.01 | 0.75 |
| In-hospital | 11 (52.4) | 16 (42.1) | 7 (36.8) | 0.17 | |||
| Out-of-hospital | 10 (47.6) | 22 (57.9) | 12 (63.2) | 0.06 | |||
| Daily cardiac arrest incidence per 1,000 admissions, mean (sd) | 0.9 (0.8) | 1.6 (1.6) | 0.8 (0.8) | 0.20 | |||
| In-hospital | 0.5 (0.6) | 0.7 (1.1) | 0.3 (0.5) | 0.24 | |||
| Out-of-hospital | 0.4 (0.7) | 0.9 (1.2) | 0.5 (0.7) | 0.56 | |||
| Return of spontaneous circulation, n (%) | 16 (76.2) | 26 (68.4) | 14 (73.7) | 0.80 | |||
| In-hospital | 9 (81.8) | 14 (87.5) | 6 (85.7) | 0.92 | |||
| Out-of-hospital | 7 (70.0) | 12 (54.5) | 8 (66.7) | 0.72 | |||
| Survival to discharge, n (%) | 9 (42.9) | 7 (18.4) | 9 (47.4) | 0.04 | 0.04 | 0.02 | 0.77 |
| In-hospital | 5 (45.5) | 3 (18.8) | 4 (57.1) | 0.14 | |||
| Out-of-hospital | 4 (40.0) | 4 (18.2) | 5 (41.7) | 0.24 | — | ||
| Survival with favorable neurologic outcome,b n (%) | 8 (38.1) | 2 (5.3) | 9 (47.4) | < 0.001 | 0.09 | < 0.001 | 0.75 |
| In-hospital | 4 (36.4) | 1 (6.3) | 4 (57.1) | 0.02 | 0.13 | 0.02 | 0.63 |
| Out-of-hospital | 4 (40.0) | 1 (4.5) | 5 (41.2) | < 0.01 | 0.02 | 0.01 | 0.94 |
Circulatory etiologies involve a decrease in cardiac output that ultimately results in cardiopulmonary arrest; subcategories include distributive shock, hypovolemia, pulmonary embolism, and heart failure. Respiratory etiologies involve hypoxemia as a cause of cardiopulmonary arrest, as opposed to concurrent hypoxemia in the presence of some other arrest etiology; subcategories include acute respiratory distress syndrome, pulmonary hemorrhage, airway obstruction, progression of a known pulmonary condition, tracheostomy-related, and rapid sequence intubation-related. While all arrests involve some abnormal cardiac rhythm, an abnormal rhythm is determined/suspected to be the etiology of arrest in these patients; subcategories include ventricular fibrillation and pulseless ventricular tachycardia.
Favorable neurologic outcome was defined by cerebral performance category score 1 or 2.
Pre-attack (April 3–30, 2021), attack (May 1–28, 2021), and post-attack (May 29, 2021, to June 25, 2021) phases. All p values were from two-sided tests and results were deemed statistically significant at p < 0.05. Bivariate analyses not performed if overall comparison did not meet significance.
Figure 1.
Autoregressive integrated moving average (ARIMA) 4-yr (January 2016 to April 2021) monthly moving average and May 2021 forecast of cardiac arrests: all cardiac arrest (A), out-of-hospital cardiac arrest (OHCA) (B), and in-hospital cardiac arrest (IHCA) cases (C).
Compared with the pre-attack phase, the attack phase observed increases in mean (sd) daily census in the ED (218.4 [18.9] vs. 251.4 [35.2]; p < 0.001) and across the hospital (614.5 [29.7] vs. 637.4 [33.7]; p < 0.01), including EDIP (14.5 [7.8] vs. 25 [11.5]; p < 0.001), ward (491.8 [19.3] vs. 506.1 [16.8]; p = 0.004), and ICU level of care (66.5 [6.0] vs. 77.4 [6.5]; p < 0.001) (Table 1). During the post-attack phase, the hospital daily census returned to pre-attack phase levels (622.9 [30.4] vs. 614.5 [29.7]; p = 0.24) (Table 1). There were no differences in mean daily CA incidence per 1,000 admissions for all CAs between the phases (pre-attack 0.9 [0.8] vs. attack 1.6 [1.6] vs. post-attack 0.8 [0.8]; p = 0.20), suggesting that the increases in CAs and census were proportional. There was no difference in county pre-hospital CAs between the pre-attack and attack phases (225 vs. 258; p = 0.13).
While ROSC rates for all CAs were similar between the phases, rates of survival to discharge for all CAs decreased during the attack phase compared with the pre-attack (18.4% vs. 42.9%; p = 0.04) and post-attack (18.4% vs. 47.4%; p = 0.02) phases. Survival with favorable neurologic outcome differed between phases for all CAs (p < 0.001). For OHCAs, rates of survival with favorable neurologic outcome decreased from the pre-attack phase to attack phase (40.0% vs. 4.5%; p = 0.02) followed by an increase in the post-attack phase (4.5% vs. 41.2%; p = 0.01).
DISCUSSION AND CONCLUSIONS
In this study, we observed increases in the absolute number of total CAs, IHCAs, and OHCAs at untargeted hospitals adjacent to HDO undergoing a month-long ransomware cyberattack. However, there was no difference in CA incidence per 1,000 admissions for all CAs during the attack phase. We also observed a decrease in survival with favorable neurologic outcome for all CAs during the attack phase. To our knowledge, this is the first report of the association of CA incidence and outcomes at a neighboring hospital system adjacent to a ransomware-infected HDO. The increase in CAs mirrored the increase in strokes previously reported during the same time period (5).
Additionally, we analyzed the 4-year period before the ransomware cyberattack using an ARIMA model to account for seasonal and secular variation. We found the ransomware-associated increase in total CAs during the cyberattack-phase month (May 2021) was higher than expected and largely driven by OHCA cases. The increase in total CAs may be driven by regional diversion of emergency medical services (EMS) from the ransomware-infected HDO and the increase in ED and hospital census during the attack phase (5). As previously reported, the county observed increases in median EMS diversion time and mean ambulance arrivals to the untargeted, adjacent hospitals during the attack phase (5).
Despite similar rates of ROSC for all CAs between phases, there were differences in overall survival with a favorable neurologic outcome (p < 0.001), driven by an increase in OHCA mortality. We observed a decrease in survival with favorable neurologic outcome for OHCAs during the attack phase compared with the pre-attack (4.5% vs. 40.0%; p = 0.02) and post-attack (4.5% vs. 41.2%; p = 0.01) phases. In the post-attack phase, we saw survival with favorable neurologic outcome return to pre-attack levels for OHCAs (41.2% vs. 40%; p = 0.94). While speculative, EMS diversions may have contributed to worse outcomes for OHCAs by prolonging time to advanced resuscitation and post-arrest care. This hypothesis is consistent with prior studies that found events resulting in increased EMS diversions, such as marathons, are associated with longer ambulance transport times and higher 30-day mortality (10). Although increased EMS diversion time has been previously reported related to this event (5), we do not have complete data regarding EMS transport times to determine if diversions were relevant to our specific CA cases.
Alternatively, the increased ED and hospital census may have contributed to worse outcomes as providers were managing abnormally high patient volumes during the attack phase. We observed an increase in EDIP patients due to a shortage of available inpatient beds. This finding is consistent with the increase in median total ED length of stay for admitted patients reported during the same time period (5). The normally functioning ED also observed ransomware-associated increases in median ED door-to-room times, length of stay for discharged patients, and number patients who left against medical advice (5), showing the disruptive impact of a cyberattack on patient care.
Limitations to this study include its observational design and generalizability to outside HDOs. Unfortunately, we do not have complete data on EMS transit time, arrest downtime, if the OHCA was witnessed, bystander cardiopulmonary resuscitation, EMS interventions, etc., which may impact our findings. Importantly, we describe the impact of a ransomware cyberattack on CA incidence and outcomes at an adjacent, untargeted HDO. CA and post-arrest care are time-sensitive and resource-intensive. Thus, recognition that cyberattacks are associated with increases in hospital census and CAs among adjacent hospitals is important for operational planning so that regional HDOs can be prepared to provide adequate support. Additionally, other aspects of patient care may also be impacted such as canceled appointments or delayed test processing (4); thus, our study highlights the need for further large-scale investigations to confirm the full impact on patient care. To minimize HDOs’ vulnerability to cyberattacks, coordination of regional disaster planning and focus on cybersecurity measures will be critical.
ACKNOWLEDGMENTS
We thank Edward Castillo, PhD, MPH, Department of Emergency Medicine, University of California San Diego for patient demographic data curation. We would like to thank Barbara Stepanski, MPH and the San Diego County Emergency Medical Services Office for county data curation. Also, we thank Melody Dotson, RN, MSN, University of California San Diego Base Hospital Nurse Coordinator and Gregory Heid, City of San Diego Fire-Rescue Department for assistance with emergency medical services data curation. These parties had no editorial input nor received any compensation for their assistance.
Footnotes
Drs. Malhotra, Dameff, Wardi, and Pearce received support for article research from the National Institutes of Health (NIH). Dr. Malhotra received funding from Zoll, Jazz, Eli Lilly, and Livanova. ResMed gave a philanthropic donation to the University of California San Diego. Dr. Longhurst receives support from the Joan and Irwin Jacobs Center for Health Innovation. Dr. Dameff is supported by Career Development Award (1-K08-EB032477) from the National Institute of Biomedical Imaging and Bioengineering. Dr. Wardi’s institution received funding from the NIH (K23 GM146092) and National Foundation of Emergency Medicine; he received funding from Northwest Anesthesia. Dr. Sell received funding from Zoll. Dr. Pearce received funding from the National Heart, Lung, and Blood Institute (T32). The remaining authors have disclosed that they do not have any potential conflicts of interest.
Dr. Pham was involved in conceptualization, methodology, and writing—original draft, review, and editing. Mr. Loo was involved in methodology, formal analysis, visualization, and writing—original draft, review, and editing. Dr. Malhotra was involved in writing—review and editing and supervision. Dr. Hylton was involved in investigation and data curation. Drs. Longhurst, Dameff, Tully, and Wardi were involved in writing—review and editing. Dr. Sell was involved in investigation, data curation, and writing—review and editing. Dr. Pearce was involved in conceptualization, investigation, data curation, writing—review and editing, and supervision.
REFERENCES
- 1.Neprash HT, McGlave CC, Cross DA, et al. : Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum 2022; 3:e224873. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.Jarrett MP: Cybersecurity—a serious patient care concern. JAMA 2017; 318:1319–1320 [DOI] [PubMed] [Google Scholar]
- 3.Landi H: Scripps Health Was Attacked by Hackers: Now, Patients Are Suing for Failing to Protect Their Health Data. Fierce Healthcare. 2021. Available at: https://www.fiercehealthcare.com/tech/following-ransomware-attack-scripps-health-now-facing-class-action-lawsuits-over-data-breach. Accessed July 5, 2023
- 4.Smart W: Lessons Learned Review of the WannaCry Ransomware Cyber Attack. 2018. Available at: https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf. Accessed August 8, 2023
- 5.Dameff C, Tully J, Chan TC, et al. : Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Network Open 2023; 6:e2312270. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6.Sisson P: Scripps Ransomware Shutdown Hits the Two-Week Mark. 2021. Available at: https://www.sandiegouniontribune.com/news/health/story/2021-05-14/scripps-ransomware-shutdown-hits-the-two-week-mark. Accessed July 5, 2023
- 7.Davis C, Connolly K: San Diego: Competing, Collaborating, and Forging Ahead With Population Health. Regional Market Series. 2021. Available at: https://www.chcf.org/publication/san-diego-competing-collaborating-forging-ahead-population-health/#related-links-and-downloads. Accessed July 12, 2023
- 8.Jennett B, Bond M: Assessment of outcome after severe brain damage. Lancet 1975; 1:480–484 [DOI] [PubMed] [Google Scholar]
- 9.Nelson BK: Statistical methodology: V. Time series analysis using autoregressive integrated moving average (ARIMA) models. Acad Emerg Med 1998; 5:739–744 [DOI] [PubMed] [Google Scholar]
- 10.Jena AB, Mann NC, Wedlund LN, et al. : Delays in emergency care and mortality during major U.S. marathons. N Engl J Med 2017; 376:1441–1450 [DOI] [PMC free article] [PubMed] [Google Scholar]