+44 (0)2039 098573

Search

In this week’s bulletin, Charlie continues his bulletin from 2022 on whether cyber attacks have killed people, and looks at the impacts of a cyber attack in the healthcare sector.

In August 2022, I wrote the following bulletin ‘Have Cyber Attacks Killed People’ which looked at possible incidents which might have caused deaths. It looked at direct attacks such as on medical machinery which could lead to the death of a patient or attacks on critical infrastructure which directly led to an impact on the users of services and lead to death. In all cases I couldn’t find an example where there was a direct link between a cyber attack and a death. There were a number of indirect death such as the 78-year-old woman suffering from an aortic aneurysm in Dusseldorf, Germany, in September 2020, whose ambulance was turned away from a hospital that had suffered a cyber attack and had to travel to a further hospital and she died on the journey. There was also the case of two suicides attributed to the Ashley Madison hack and subsequent blackmail. There was the possibility of deaths after the hacks on Ukrainian power grids in 2015 and 2016 due to death from cold, fires, and traffic crashes.

Since 2022 when I wrote the last bulletin, cyber attacks have continued apace, with healthcare being a sector particularly hard hit. In spite of this, I have not managed to find any deaths directly attributable to cyber attacks, but there has been a number of studies which point to increased mortality when a cyber attack occurs on a hospital. In an article in The Journal of mHealth, they gave the following statistics:

  • The four most common healthcare cyberattack types — business email compromise (BEC), supply chain attack, ransomware and cloud compromise — increase delays, average visit length, procedure complications and patient mortality rates.
  • Of the 88% of health care organisations that experienced cyber attacks in 2023, roughly 20%-30% reported more fatalities as a result.
  • IT professionals stated mortality rates increased by 28% for ransomware, 12% for BECs, 21% for supply chain attacks and 29% for cloud compromises.

Many of these statistics have come from this study by the Ponemon Institute study.

Another study by STAT found:

  • During the first week of a ransomware attack, patient volume falls by roughly 20%. Revenue decreases by that much or more, showing a 40% drop in the emergency setting.
  • Hospitals are forced to treat fewer patients during ransomware attacks, and they provide less care (especially imaging and testing services) for the patients they do treat.
  • They saw this across multiple hospital care settings: emergency room, inpatient, and outpatient.
  • In normal circumstances, roughly 3 in 100 hospitalised Medicare patients will die in the hospital. During a ransomware attack, that number goes up to 4 out of 100. From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients.

As far as I can see, there is mounting evidence of excess deaths caused by cyber attacks, but there is no evidence yet of an attack which has been directly attributed to deaths.

Scroll to Top
Scroll to Top