Dan Gorenstein: Ransomware attacks are a major problem in health care. 

Clip: CommonSpirit’s experiencing an IT security incident
Clip: It’s a ransomware attack impacting millions of patients across the country.

DG: One industry survey found that 6 in 10 health care companies had been hit by ransomware in the last year.

Clip: The Prospect hack is one of about 275 cyber attacks on US health care organizations this year.

DG: These cyberstrikes can disrupt care for weeks, cost hospitals millions of dollars, and cost patients their lives.

Hannah Neprash: Ransomware attacks are really bad for hospitals and they’re really bad for patients at those hospitals.

DG: Today, we discuss a new paper released this week about the deadly impact of ransomware attacks. But first, we revisit our story from the summer of 2021 that inspired this new research.

From the studio at the Leonard Davis Institute at the University of Pennsylvania, I’m Dan Gorenstein. This is Tradeoffs.

*****

Karen Sprenger: I don’t remember the specific date, but it was in 2020, and it was a Friday. I do remember that.

DG: Karen Sprenger lives in Missoula, Montana, and like lots of us, was working out of her home office last spring. A “don’t panic” poster hung on one wall. A Yoda she built out of legos sat behind her. It was just before 5, but instead of thinking about that after-work drink, Karen was bracing herself. 

KS: In our line of business we call them Forensic Fridays because an abnormally high number of cases come in on a Friday.

DG: Sure enough, the call came in.

KS: Incoming case, ransomware, call in five.

DG: Karen opened Zoom and met her client: a clinic in the Midwest that provides home health care, dialysis and chemotherapy. The clinic told Karen employees were locked out of their files. A computer virus had spread everywhere — servers, work stations, patient records. 

KS: They had no way of knowing what chemotherapy treatment was supposed to be given. They didn’t have access to patient allergies.

DG: It had taken just over 24 hours for the clinic’s operations to grind to a halt.

KS: They were basically dead in the water. They couldn’t do anything.

DG: Karen is the COO for the cybersecurity firm LMG Security. She explained the clinic was facing a ransomware attack. 

KS: A ransomware attack encrypts all of your files. So it locks them up, and the only way to open them is to get a key, which is really just a long series of numbers and letters. And so in a ransomware attack, they’re holding those files, the lock for those files until you pay them.

DG: The FBI has a strict “don’t pay the ransom” policy. They encourage companies to call law enforcement immediately. But eager to regain control of their systems as quickly as possible, many organizations instead turn to someone like Karen, who has been working in this shadowy, upside down world for the last 8 years. 

KS: I negotiate ransoms for clients who need that.

DG: Karen has negotiated more than 100 ransomware cases, 30 or so involving health care, and she’s learned to keep a level head. It’s a lesson she picked up from the 2000 film Proof of Life.

Proof of Life: Meg Ryan: Can you just explain how this works?

Russell Crowe: They make a demand. We start negotiating.

Hostage Taker: $3 million is the price. 

DG: That’s the movie where Meg Ryan hires Russell Crowe to negotiate with terrorists to get her husband back. 

KS: There’s a scene where Meg Ryan is upset because Russell Crowe, who’s the negotiator, is speaking with the kidnappers as if they’re businessmen or real people. 

Proof of Life: For you it’s emotional. For the people holding Peter, it’s a business. 

KS: And he’s explaining how this is a business deal and he needs to get them to trust him.

Proof of Life: The sooner you get comfortable and objective about that, the easier this will be.

KS: And I think that one is super relevant in that you have to learn not to let emotion get in the way when you’re doing negotiations.

DG: That Friday afternoon, Karen could see the emotion on the clinic’s staff’s faces over Zoom. She could hear the panic in their voices. They’d already had to cancel 50 chemo and dialysis treatments.

KS: They very explicitly told us, here’s the services that we offer and we can’t do that right now. And we can’t continue like this because people can’t be without their health care. They couldn’t do the thing that they were there to do and that was really hard for them.

DG: Having the ability to care for your patients held at ransom is a health care provider’s worst nightmare. This clinic was desperate, they were willing to pay, and Karen knew she needed to act fast. Karen’s team got to work containing the attack. Karen turned her attention to the hostage takers.

KS: We always encourage clients not to pay. But there are situations where they have no choice, and this was one of them. Their backups were non-recoverable. So they were in a tough spot.

DG: This is why they brought Karen in. Like an athlete before a big event, she’s got her rituals. She makes a new email address, adopts a pseudonym, and then she steps out of everyday Karen and slips into her alter ego. 

KS: My alter ego is very direct and a little outspoken and probably a little more courageous, forceful and assertive.

DG: No-nonsense Karen got right to the point in her first email to the attacker. 

KS: I’m a third party. I’ve been brought in to bring this to a satisfactory conclusion for all parties involved. How much are you asking for the ransom?

DG: Within the hour, she had a response: $1.5 million.

KS: Which is unreal.

DG: Karen saw that demand and ignored it. Now she had to decide whether to tell her counterpart, who went by Saheed, that he had attacked a health care facility.

KS: With some attackers, you don’t want to tell them that because they will use that to increase the ransom thinking, oh, well, we’ve got them in a difficult position. But there are some of these criminal groups that do have some empathy, some compassion. It’s tiny. It’s not enough to say, sorry, we didn’t mean to hit health care. We’re going to just give this to you for free. But it’s enough for them to say, OK, we understand the position that you’re in.

DG: Karen gambled and told Saheed about the clinic, that critically ill patients were going without care and that while the clinic was open to paying, it did not have $1.5 million. Saheed was willing to play ball. He dropped the price to just over a million. Karen countered with $200,000. As Friday turned to Saturday, the two volleyed dollar amounts back and forth, Karen updating the clinic the whole way. As bizarre as this all may sound to us, this was a relatively by-the-book negotiation. We were unable to independently confirm Karen’s story, though two veteran negotiators did tell us the details sound in line with how these cases usually go down. As the weekend dragged on, Karen thought of people missing out on their treatments for cancer and kidney failure, and her stoic alter ego started feeling the squeeze.

KS: Just really felt the responsibility of, if we don’t move fast, there are people suffering out there.

DG: Finally, Sunday morning, a breakthrough.

KS: Must have been about 9 o’clock because I had just finished breakfast.

DG: Saheed had offered $500,000.

KS: So I countered with $435,000 thinking we’d end up at 450. But that’s when they came back and said, done.

DG: Karen worked with a broker to buy $435,000 worth of bitcoin on the clinic’s credit card and then sent the payment off to Saheed.

KS: As we were starting to decrypt files and they could see a light at the end of the tunnel, they just felt relieved. They could see that, yes, we can get back to treating patients and providing the services that we provide.

DG: It took all of Sunday and Monday to safely decrypt all the clinic’s files and bring their systems back online so they could start seeing patients again. Karen says since the attack, the clinic has invested more in cybersecurity. 

When we come back, what policymakers are doing to address this threat and how new research inspired by Karen’s story confirms hospitals’ big fear: Ransomware attacks can cost patients their lives.

MIDROLL

DG: Welcome back. We first aired a version of Karen Sprenger’s story back in July 2021 as part of an episode on the rise in ransomware attacks in health care. One of the people who listened to that story was University of Minnesota health economist Hannah Neprash.

Hannah Neprash: I remember distinctly where I was when I heard this story. It was nap time for my toddler. I was relaxing on the couch, catching up on my favorite health care health policy podcast. And one thing in particular jumped out at me, and that was a comment that the ransomware negotiator, I think her name is Karen, made…

KS: They are just looking for a vulnerability. And if they find it, they’re coming in.

HN: …saying that it was essentially impossible to predict where a ransomware attack would hit and when. Which, as terrible as it sounds, got my research spidey sense tingling because it suggested that maybe there was a natural experiment to study here.

DG: Hannah’s spidey sense was tingling because she realized that if these ransomware attacks were effectively random, researchers like her could more easily study their impacts.

HN: When somebody can predict something like a ransomware attack, they can adjust their behavior ahead of time. But if it’s unpredictable, then you see in real time how a ransomware attack affects them.

DG: Right, these hospitals, these medical providers, they can’t prepare. They don’t know when it’s going to come. And so that way you can really see what the fallout is in a kind of a clean, honest way.

HN: Exactly.

DG: And so on your couch, toddler down and you’re kind of like geeking out on like, “Oh, there could be a paper here.”

HN: Yeah. And on top of that, it was clear from the podcast there was all this policy interest and seemingly very little actual research evidence which told me that this was maybe a place to make a really meaningful contribution in terms of providing research to inform policy. 

DG: So you and your coauthors, you go out, you gather evidence, and you publish a paper last December in, I think, JAMA Health Forum. And you identified 374 ransomware attacks on health care between 2016 and 2021. Hannah, beyond those top line numbers, what do you think people need to know about these attacks based on that work?

HN: It showed us that ransomware attacks are getting more severe in basically every way we could measure: more data stolen, more likely to affect multiple offices or multiple hospitals at once. And the thing that stood out the most for me was the fact that ransomware attacks frequently disrupt the delivery of health care, especially for hospitals. So in that paper, we show that three out of four ransomware attacks on hospitals had some effect on that hospital’s ability to deliver care, whether it was by disabling access to the electronic health record, or even something as severe as forcing them to cancel scheduled surgeries or divert ambulances to a different hospital.

DG: So your paper really helps kind of put meat on the bones that these ransomware attacks are having real world impacts on patients, on people. They’re interrupting the care that they get, as you just said. And it seems to me pretty intuitive that those kinds of disruptions would harm patients in some way, right?

HN: A lot of people in the policy space would just assume that ransomware attacks harm patients. But we know a lot of medical care that happens in the U.S. doesn’t help patients lead healthier lives. There’s a lot of wasteful care. There’s a lot of care that doesn’t necessarily improve outcomes. And so it’s possible that no harm would come to patients if they got slightly less care because their hospital was undergoing a ransomware attack. And you know, just to put my geeky researcher hat on…

DG: Is it ever off, Hannah? Is it ever off? I mean, come on.

HN: Oh you’re right. I feel so seen. I think that the best questions, the questions I look for when I’m thinking, what should I research today, are the questions where there’s potentially an interesting answer, whether it’s yes or no. And this was an area where the answer would be really interesting if we did find evidence of patient harm. But it was totally possible that we wouldn’t because of all this evidence that lots of spending in medical care just doesn’t help patients lead healthier lives.

DG: So you do this first paper, you get a sense that these ransomware attacks are having a pretty major impact and there really is the potential for lots of patient harm. However, because you are a health economist and you take a nuanced view, after this first paper, you can’t really sort of as definitively as you would like to say, there is or there is not patient harm. 

HN: Exactly.

DG: So you and your co-authors set out to finally answer that question. What did you do?

HN: So we took our database of ransomware attacks on hospitals, and we linked that up with Medicare claims data which allowed us to look in a much more detailed way at what happened to hospitals during a ransomware attack and what happened to their patients.

So imagine we have two patients who are both at a ransomware attack hospital. So Jose is admitted to the hospital before the ransomware attack hits. Poor Gabriel, though, is admitted to the hospital at the same time as Jose, but he’s still there when the ransomware attack hits. So for Gabriel’s care team, all of a sudden maybe they can’t access the electronic health record. They don’t know what medications he’s allergic to. Maybe they have to cancel a surgery that Gabriel was going to get.

DG: So within the hospital that suffers the attack, you’re paying attention to the different to the two different types of patients, Gabriel and Jose. But then you’re also going to compare that activity to outside hospitals that were not attacked. Is that correct?

HN: Exactly. We need a Josephina and a Gabriela at a hospital that never experienced a ransomware attack as a control group.

DG: Okay, so you’re looking at Jose and watching what happens to Jose and then you’re looking at Gabriel who had to be in the hospital during the ransomware attack. And what did you find?

HN: So bottom line, we find that ransomware attacks are really bad for hospitals and they’re really bad for patients at those hospitals. We see that in that first week of a ransomware attack, hospital revenue falls by 20 to 40%. It’s a huge hit. We also find evidence that patients are more likely to die in the hospital during a ransomware attack. So for Gabriel, it’s much more likely that he doesn’t walk out of that hospital if he has the misfortune to still be there when the ransomware attack hits.

DG: Hannah, how much more likely is it that Gabriel will not walk out of the hospital?

HN: During a ransomware attack, we see that in-hospital mortality goes up about 20% to 35% for patients who have the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack.

DG: So it could be as much as 20% to 35% more likely for an older American 65 and over to die in the hospital if they’re admitted when a ransomware attack hits. Is that what you just said? 

HN: You got it, Dan.

DG: Is that a big number?

HN: It’s a big number. There are relatively few things that result in a 30% bump in patient mortality. The good news here is that dying in a hospital is still a really unlikely event. The bad news is it’s more likely to happen if you have the bad luck to be admitted to a hospital during a ransomware attack.  

DG: So Hannah, this is a working paper. It has not gone through peer review yet. How confident are you in the analysis? Could there be anything else that is causing this increase in mortality?

HN: I am so glad that you asked that. I’m sure that peer review will improve this paper, and we’re in the process of that right now. But we have poked and prodded this analysis in so many different ways, and at least so far, all of our findings are really consistent. And this policy area is just getting so far ahead of any research evidence that it feels really important to add some evidence to this debate. 

DG: I think what you’re saying is, hey, there’s some more fine tuning perhaps that needs to be done, some polish on this work. But at the end of the day, we’re talking about watching people potentially die. And so let’s get something out there.

HN: Exactly. I’ve seen how valuable it is to put cold, hard numbers behind squishy assumptions and beliefs. So I’m hoping that adding some evidence to this policy debate can essentially light a fire to get something done soon.

DG: And so the Biden administration has been talking a lot about cybersecurity. Some people in Congress as well. What is the latest with your ear to the ground on the policy conversation right now?

HN: Based on the conversations I’ve had with folks who are intimately involved in some of these policy debates, I would bet that in the next year we will see some major changes in the requirements hospitals face for minimum cybersecurity standards like email protection and security testing, and I suspect that pretty soon hospitals will be both incentivized, but also required to show Medicare that they have all of those systems in place.

DG: Carrots and sticks.

HN: Carrots and sticks. Absolutely.

DG: And in terms of those conversations, I want to go one layer deeper with you on those, Hannah. When you’re in the room with these policymakers, what do you tell them the right incentives are to make hospitals comply. Like what are the carrots? What are the sticks?

HN: So I think it’s important to talk about the hospitals that need motivation to invest in cybersecurity and the hospitals that need help investing in cybersecurity. And we have both in this country, which suggests that there needs to be some sort of combination of sticks in terms of requirements that a hospital takes, certain basic cybersecurity investments on board, but also some carrots. So potential subsidies for safety net and rural hospitals that might not have the extra cash lying around to invest in the necessary cybersecurity precautions.

DG: Final question, Hannah. What is the next question for you on your ransomware research list? What do we still not know that you think we need to?

HN: I have two burning priorities that keep me awake at night. The first is that our analysis only goes through 2021 and a lot of stuff has happened in 2022 and 2023. So this is an area where it’s really important for research to stay current. The other priority I have is. Digging deeper into how ransomware attacks affect the entire community. So if a hospital has to divert ambulances, those ambulances go somewhere and another hospital gets busier. So understanding how the whole community accommodates and adjusts during a time of a ransomware attack is really important because it tells us something about the scope and the magnitude of this problem that we need to know.

DG: It seems like what you’re hoping to do through this body of work is get it on the map, right? Ransomware is one of those kind of weird, back watery sorts of things. And I think you’re flapping this big red flag being like, “Hey, people, this is serious. We need to do something more than what we’re doing.” Is that really what’s happening here?

HN: Absolutely. I think this issue is on the map for policymakers, but there are so many competing priorities. And I’m hopeful that this research can essentially get us over the finish line in terms of meaningful policy change.

DG: Hannah, thank you so much for taking the time to talk to us on Tradeoffs.

HN: This was a joy. Thank you, Dan.

DG: I’m Dan Gorenstein, this is Tradeoffs.