A MARTÍNEZ, HOST:
Six in 10 health care companies have been hit by ransomware attacks in the last year. That's according to a recent industry survey. These cyber strikes can disrupt care for weeks and cost hospitals millions of dollars. Now new research suggests they can also put patients' lives at risk. From the nonprofit health policy newsroom, Tradeoffs, here's Ryan Levi.
RYAN LEVI: Karen Sprenger got the call just before 5 p.m. on a Friday back in the spring of 2020.
KAREN SPRENGER: Incoming case, ransomware, call in five.
LEVI: Sprenger is the COO and chief ransomware negotiator for the cybersecurity firm LMG Security. The call was from a small clinic in the Midwest where care had ground to a halt after hackers encrypted the clinic's files and demanded payment in exchange for the key to unlock them. The FBI has a strict don't pay the ransom policy, but that can be a tough sell for clinics and hospitals that find themselves unable to provide critical care to their patients.
SPRENGER: They very explicitly told us, here's the services that we offer, and we can't do that right now. And we can't continue like this because people can't be without their health care.
LEVI: The attackers wanted $1.5 million. But over the weekend, Sprenger negotiated them down to $435,000. And by the end of the day Monday, the clinic was back up and running. Ransomware attacks in health care more than doubled between 2016 and 2021, exposing tens of millions of patients' health information and forcing facilities to divert ambulances and delay surgeries. Health care leaders have grown increasingly worried that those care disruptions put patients at risk, but there was no research supporting those fears until now.
HANNAH NEPRASH: During a ransomware attack, we see that in-hospital mortality goes up about 20 to 35% for patients who have the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack.
LEVI: Hannah Neprash is a health economist at the University of Minnesota. Neprash says these findings, which were published earlier this month, only looked at patients on Medicare and are still in the process of going through peer review, so the results could change, but she says few things have been found to so significantly increase the risk of dying in a hospital.
NEPRASH: The good news here is that dying in a hospital is still a really unlikely event. The bad news is it's more likely to happen if you have the bad luck to be admitted to a hospital during a ransomware attack.
LEVI: Saad Chaudhry, the chief digital and information officer for Maryland's Luminis Health system, says the findings aren't surprising, but he thinks this research, confirming hospitals' worst fears about ransomware attacks, will push facilities to do more.
SAAD CHAUDHRY: The health care industry, at least in the United States, has come to terms with the fact that it's never going to be a matter of if an organization is under attack, it's a matter of when. So we must invest in our ability to come back up after we are attacked.
LEVI: There's bipartisan interest in Congress to address this issue, but no legislation appears imminent. Chaudhry says cybersecurity best practices for health care organizations published by the Biden administration earlier this year have been a big help, but he and researcher Hannah Neprash say policymakers should set minimum cybersecurity requirements for hospitals and offer financial subsidies for smaller and more rural facilities that may not have the resources to comply. For NPR News, I'm Ryan Levi.
(SOUNDBITE OF FEVERKIN'S "SILHOUETTE") Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.