Legal, Safety, and Regulatory Risks if Cyberattack Forces ED to Shut Down
By Stacey Kusterbeck
An emergency physician (EP) wants to learn the results from an imaging test, but the system is suddenly inaccessible. It is possible the ED is undergoing a cyberattack. “Threat actors are attacking healthcare providers at an unprecedented rate,” warns Linn F. Freedman, JD, CIPP/US, a former assistant attorney general for Rhode Island and partner at Providence-based Robinson & Cole, where she chairs the data privacy and cybersecurity group.
Multiple EDs in several states recently had to shut down and divert ambulances because of yet another cyberattack.1,2 “The cyberattack might not be the fault of anyone in the ED, but could negatively disrupt its operations,” Freedman notes. In some cases, a criminal gains entry into one hospital system, then migrates to other systems, such as the ED.
Following a cyberattack, emergency care providers may be unable to access vital data about the history and treatment of patients, results of diagnostic tests, perform procedures, or render accurate and timely care. Any of these issues could harm a patient. “EDs may need to divert patients to other hospitals. This could delay emergency treatment for patients in the highest need,” Freedman adds.
EDs also could face regulatory and compliance issues. Each state department of health has jurisdiction to investigate licensed hospitals and departments. “If there is disruption in care, or delays in treatment or adverse results, the state department of health has every right and opportunity to investigate the cause of the incident — and could investigate the ED’s security measures,” Freedman cautions.
Such documents subject to scrutiny include security risk assessment and risk management programs. States also have jurisdiction to investigate under HIPAA, and could scrutinize the department’s HIPAA compliance program. “A state department of health can investigate, with or without a patient complaint,” Freedman notes. “They usually have broad regulatory powers under state laws and to protect public health.”
If treatment delays result in a bad outcome in the aftermath of a cyberattack, the patient or family might allege the cyberattack caused or contributed to the bad outcome. Attorneys could argue the ED was negligent by not maintaining appropriate security measures to prevent the attack and disruption, and that the disruption caused the patient harm. “A case like that is obviously newsworthy and difficult for public relations,” Freedman notes.
Claims related to negligence or inadequate care also could arise due to the overall disruption caused by the cyberattack. “The closure of the ED might expose the institution to potential legal actions if patients experience harm or negative outcomes as a result,” says Sinchul Back, PhD, director of cybercrime and cybersecurity studies at the University of Scranton (PA) Center for the Analysis and Prevention of Crime.
EDs are subject to strict regulatory standards governing patient care and safety, including the Health Information Technology for Economic and Clinical Health Act, which emphasizes the security of electronic health records. “The diversion caused by a cyberattack might lead to noncompliance with these regulations,” Back says. “This could result in potential penalties.” Below are some mitigation tactics for emergency medicine leaders to consider:
• Develop a comprehensive strategy detailing the department’s response in the event of a cyberattack. This strategy must include clear communication channels, delineated roles and responsibilities for staff, and protocols for redirecting ambulances to alternative healthcare facilities.
“EDs should review security policies, user agreements, and business continuity plans, all of which should be tailored to address current threats posed by malicious cyber actors,” Back offers.
Security policies must adapt to evolving threats, such as sophisticated ransomware attacks that can compromise patient data.
“For example, the policy could include regular patch management, software updates, and user awareness training to avoid phishing events,” Back says.
Policies also should outline a step-by-step incident response plan detailing communication protocols and procedures for isolating affected systems.
• Promptly apply updates released by manufacturers to patch operating systems and software.
• Recognize critical assets like patient database servers, medical records, telehealth, and telework infrastructure. “Store offline backups of these systems away from the network,” Back says.
• Offer training on information security principles, techniques, and evolving cybersecurity risks. “Given that end users are often targeted, educate them about threats like ransomware and phishing schemes, including their delivery methods,” Back advises.
For example, staff should be trained on social engineering (manipulating individuals to compromise security) and phishing (using deceptive emails or websites to extract sensitive data). Leaders can help staff shield the organization against such threats in several ways:
• Emphasize proper password security (e.g., not reusing passwords, not saving passwords in local files).
• Identify suspicious emails (e.g., unusual senders, errors, or urgent requests).
• Verify requests for sensitive information using established channels like phone calls.
• Report suspicious activity promptly to IT or security teams.
• Ensure employees are aware of who to contact (e.g., the IT department) in case of suspicious activity, or if they suspect a cyberattack is occurring. “This facilitates swift and effective implementation of established mitigation strategies,” Back says.
For example, EDs must act immediately to disconnect affected systems or devices from the network. “This effectively halts the spread of the attack, minimizing potential harm,” Back explains.
The initial indications of a cyberattack against an ED vary. “However, a common early warning sign is the sudden disruption or unavailability of crucial electronic systems and resources,” Back says.
Watch for these other early signs of a potential cyberattack:
• Unusual network activity, such as a sudden surge in traffic or unexpected outages;
• Unresponsiveness in electronic health record systems and healthcare applications;
• More prompts for user authentication;
• Abnormal user account activity;
• Unexpected behavior in medical devices;
• Suspicious emails or messages;
• Ransomware notifications demanding payment for data decryption;
• Unauthorized access to patient data or data exfiltration;
• Unforeseen system shutdowns;
• Unexplained alterations in patient records or medical orders;
• A sudden loss of control over computer systems.
The cyberattack could involve the ED’s network, emails, health record, or other critical systems. “In some cases, the systems are never recovered, and the data are lost forever. This has caused some medical practices to close,” says Eric Perakslis, PhD, chief science and digital officer at the Duke Clinical Research Institute. Liability exposure in this situation is “huge,” Perakslis warns.
Hospital administrators might assume insurance provides protection, but this is not necessarily the case. “Just like physical war, often insurance policies do not cover cyber war,” Perakslis says. “Cyber war has a fluid definition. It could be argued that [the 2017 WannaCry global ransomware attack] was a cyber war attack that took out Britain’s health service, as the attack was attributed to a hostile act by a foreign nation state — North Korea in this case.”3
Hospitals should be cautious about how they view cyber insurance within the context of their cybersecurity strategy, says Perakslis. “Critical care areas should be doing cyber incident drills just as are currently done for fires and active shooters,” Perakslis adds.4
A cyberattack might start as a single penetration via one application; however, it can spread to other hospital systems.
“Just like the ‘golden hour’ in emergency medicine, the actions taken at the start of a cyber incident can help contain the incident — or, more often, can make the incident far worse,” Perakslis says.
There is another type of cyber threat on the horizon for EDs to worry about: artificial intelligence (AI) attacks. “These can target the corruption of data, causing significant physical harm,” Perakslis says. “Attacks that tamper with data and algorithms can remain undetected for extended periods.”
Just as cyberattacks started to occur after healthcare was digitized, the same is expected to be true for AI. “The risk of AI attacks increases as EDs start to build AI into their workflows,” Perakslis warns.
REFERENCES
1. Hut N. Cyberattack leaves hospitals scrambling in several states. Healthcare Financial Management Association. Aug. 7, 2023.
2. Carballo R. Ransomware attack disrupts health care services in at least three states. The New York Times. Aug. 5, 2023.
3. U.S. Department of Justice. North Korean regime-backed programmer charged with conspiracy to conduct multiple cyber attacks and intrusions. Sept. 6, 2018.
4. Perakslis E. Responding to the escalating cybersecurity threat to health care. N Engl J Med 2022;387:767-770.
Experts offer early warning signs of a possible attack, along with mitigation tactics and tips for leaders on how to properly train staff in security principles.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.