Research Insights
How Do Ransomware Attacks Impact Rural Hospitals?
Synopsis
Amid increasing cybersecurity threats aimed at urban and rural health care delivery systems, a novel study found that while ransomware attacks are less likely to occur in rural areas, the operational disruptions resulting from such attacks may have more pronounced effects on financially vulnerable rural hospitals. This study offers valuable insights for policymakers and health systems seeking to understand the ramifications of ransomware attacks on rural hospitals’ viability and operations, as well as the patients they serve.
Growing Ransomware Attacks Affect Rural Health Care Operations and Care Delivery
Ransomware attacks have nearly doubled annually in the health care sector, with health care delivery organizations particularly at risk due to interconnected health systems, outdated cybersecurity practices, and COVID-19-related financial strain. Recent incidents have highlighted how these attacks affect health care operations, beyond the attacked site. Among providers, hospitals experience the highest rate of operational disturbances, including restricted access to servers and disrupted or redirected patient care. This study contributes valuable findings to the limited body of evidence on the effects of ransomware attacks on rural hospitals.
Ransomware attacks lead to temporary declines in patient volume and revenue for rural and urban hospitals, but rural hospitals and patients may be more susceptible to the effects. Ransomware attacks can also disrupt hospital finances, including procedural interruptions and delays in processing claims. These disruptions can place rural hospitals in a more precarious financial situation, as they are typically smaller and more financially vulnerable. Additionally, ransomware attacks can significantly disrupt patients’ access to care, especially among rural residents who are often older, in poorer health, and facing existing barriers to care. The disruptions caused by ransomware attacks may have spillover effects on nearby sites of care by directing more patients to non-attacked facilities. For rural patients, the average non-ransomware-attacked hospital was over 30 minutes away, 4 to 7 times further than for urban patients. The increased distance could result in delayed or canceled services, impacting health care spending and outcomes, especially in medical emergencies.
These findings may be valuable for stakeholders aiming to understand the effects of ransomware attacks on hospital sustainability, particularly as rural areas are facing hospital closures which further impact health care markets and access. Additionally, the study may provide insights into enhancing cybersecurity protocols in rural settings, as these hospitals often have lower levels of preparedness against ransomware attacks.
Conversation with the Researcher
"Bottom line: ransomware attacks are bad news for hospitals and patients, no matter where they happen…but there is reason to think they’re especially harmful to rural hospitals and patients."
Hannah Neprash, PhD
University of Minnesota, School of Public Health
Q: What are the most important findings in the study for policymakers and regulatory agencies?
A: Bottom line: ransomware attacks are bad news for hospitals and patients, no matter where they happen…but there is reason to think they’re especially harmful to rural hospitals and patients. The operational disruptions caused by ransomware can have devastating financial consequences for rural hospitals and potentially harmful consequences for patients in rural areas, who must travel further to get care during a cyberattack.
Q: How does this study inform recommendations for the development and strengthening of rural hospital cybersecurity protocols?
A: For me, this study suggests two linked goals for strengthening rural hospital cybersecurity. First, let’s prevent as many cyberattacks as we can. Second, let’s prepare for cyberattacks, so when one inevitably hits, we can minimize the operational disruptions it causes. Right now, I see a lot of policy energy around the first goal and less on the second. Preparing for cyberattacks is really a coordination challenge since it would likely require cooperation across hospitals that usually compete with each other – in order to make sure that everyone gets safe and effective health care.
Q: How can this study inform discussions regarding cybersecurity regulation in health care?
A: I think it emphasizes the need to tailor policy options to the specific health care setting. And also, the need to use sticks and
carrots. The stick is likely to be some form of mandatory cybersecurity actions that every hospital must follow (e.g., using multifactor authentication). The carrots (i.e., financial incentives) should be tailored to providers’ needs. Small and rural hospitals may need more assistance improving their cybersecurity defenses, given where they’re starting from and their relative lack of financial resources.
Q: What makes this study unique? Did it break new ground?
A: Research on cybersecurity and health care is really just getting started! There are only a handful of papers studying the effects of cyberattacks in health care – and this is the first to focus on rural populations.
Q: How can this study inform future research on the impact of cybersecurity?
A: For me, the big open questions are: ‘what are the consequences for rural patients of having to travel dramatically longer distances when their local hospital experiences a ransomware attack?’ and ‘what happens long-term to rural hospitals, after they experience a cyberattack?’. Stay tuned for answers to these questions…
Key Findings
This study compared the hospital characteristics and operations of 43 rural and 117 urban hospitals that experienced ransomware attacks between 2016 and 2021.
Hospital Characteristics
Compared to their urban counterparts, rural hospitals:
Had fewer hospital beds and annual Medicare admissions.
Were less likely to be part of a larger health system or categorized as a Level 1 or 2 trauma center.
Had higher rates of nonprofit status and were more likely to be designated as a Critical Access Hospital or Sole Community Hospital. Rural hospitals were equally likely to be Rural Referral Centers than urban hospitals.
Were marginally less likely to operate an obstetric unit but equally likely to operate an emergency room.
Required further travel to the nearest non-attacked hospital. The median non-ransomware-attacked rural hospital was over 30 minutes away, compared to less than 10 minutes for urban hospitals.
Hospital Operations
During the initial week of the ransomware attack:
Rural and urban hospitals experienced similarly large declines in inpatient admissions and Medicare revenues from such admissions, compared to the week preceding the attack.
Volume and revenue of hospital outpatient and emergency room visits also decreased for both rural and urban hospitals, but the decline was more pronounced among rural facilities.
The return to pre-attack admissions and revenue levels took between two and three weeks for rural and urban hospitals.
This analysis consists of three data sets - the Tracking Healthcare Ransomware Events and Traits (THREAT) database, a novel database of hospital ransomware attacks (created by the researchers), the American Hospital Association's Annual Survey Database, and Medicare fee-for-service claims data. Medicare claims were then linked to the THREAT database and AHA survey information using each hospital's unique CMS certification number. To show how ransomware attacks may affect patients in rural and urban areas differently, Google Maps data was incorporated to show the distance and travel time to the next-closest hospital for areas that experienced an attack.
Neprash, H. T., McGlave, C. C., Rydberg, K., & Henning‐Smith, C. (2024). What happens to rural hospitals during a ransomware attack? evidence from Medicare Data. The Journal of Rural Health. https://doi.org/10.1111/jrh.12...
Additional Citation:
- Ransomware attacks are less likely to occur at rural hospitals: McGlave, C. C., Nikpay, S. S., Henning-Smith, C., Rydberg, K., & Neprash, H. T. (2023). Characteristics of short-term acute care hospitals that experienced a ransomware attack from 2016 to 2021. Health Affairs Scholar, 1(3), qxad037. https://doi.org/10.1093/haschl...
More Related Content
See More on: Affordability | Health Care Coverage | Rural Health