Hacking Acute Care: A Qualitative Study on the Healthcare Impacts of Ransomware Attacks Against Hospitals

Abstract

Background and objectives Cyberattacks against healthcare institutions are an increasing threat and have the potential to impair health outcomes. Current research is limited and focuses mainly on the technical consequences, whereas little is known about the healthcare staff experiences and the impact on emergency care, both during the incident and in the recovery phase. This study aims to explore the impact of a sample of large ransomware attacks against hospitals between 2017 and 2022 on acute care delivery and patient care during the recovery phase.

Methods This interview-based qualitative study assessed the experiences of emergency healthcare professionals and Information and Communication Technology (ICT) staff and investigated the challenges faced when struck by a major hospital ransomware attack. The semi-structured interview guideline was based on current literature and cybersecurity expert consultation. Transcripts were anonymized and information tracing back to participants and/or their organizations was removed for privacy purposes.

Results Nine participants were interviewed, including emergency healthcare providers and ICT-focused staff. Five themes were constructed from the data: impact and challenges regarding patient care continuity, challenges during the recovery process, personal impact on healthcare staff, preparedness, and lessons identified and future recommendations.

Conclusions According to the participants of this qualitative study, ransomware attacks have a significant impact on emergency department (ED) workflow, acute patient care and the personal wellbeing of healthcare providers. Preparedness for such incidents is often limited and many challenges are encountered during the acute and recovery phase of the attack. Proactive preparedness efforts are essential to improve contingency planning and to develop response strategies for hospital ransomware attacks.

Competing Interest Statement

The authors have declared no competing interest.

Funding Statement

This study did not receive any funding

Author Declarations

I confirm all relevant ethical guidelines have been followed, and any necessary IRB and/or ethics committee approvals have been obtained.

Yes

The details of the IRB/oversight body that provided approval or exemption for the research described are given below:

IRB of Maastricht University Medical Center gave ethical approbal for this work.

I confirm that all necessary patient/participant consent has been obtained and the appropriate institutional forms have been archived, and that any patient/participant/sample identifiers included were not known to anyone (e.g., hospital staff, patients or participants themselves) outside the research group so cannot be used to identify individuals.

Yes

I understand that all clinical trials and any other prospective interventional studies must be registered with an ICMJE-approved registry, such as ClinicalTrials.gov. I confirm that any such study reported in the manuscript has been registered and the trial registration ID is provided (note: if posting a prospective study registered retrospectively, please provide a statement in the trial ID field explaining why the study was not registered in advance).

Yes

I have followed all appropriate research reporting guidelines and uploaded the relevant EQUATOR Network research reporting checklist(s) and other pertinent material as supplementary files, if applicable.

Yes

Data Availability

All data produced in the present work are contained in the manuscript

留言 (0)

沒有登入
gif