Media Framing and Portrayals of Ransomware Impacts on Informatics, Employees, and Patients: Systematic Media Literature Review

Introduction

Background

According to the United States Cybersecurity and Infrastructure Security Agency, ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable, after which malicious actors will demand ransom in exchange for decryption [Stop ransomware. Cybersecurity and Infrastructure Security Agency. URL: https://www.cisa.gov/stopransomware [accessed 2024-08-05] 1]. Compared with data breach events [Argyridou E, Nifakos S, Laoudias C, Panda S, Panaousis E, Chandramouli K, et al. Cyber hygiene methodology for raising cybersecurity and data privacy awareness in health care organizations: concept study. J Med Internet Res. Jul 27, 2023;25:e41294. [FREE Full text] [CrossRef] [Medline]2-Lee J, Choi SJ. Hospital productivity after data breaches: difference-in-differences analysis. J Med Internet Res. Jul 06, 2021;23(7):e26157. [FREE Full text] [CrossRef] [Medline]4], ransomware events can be even more insidious [He Y, Aliyu A, Evans M, Luo C. Health care cybersecurity challenges and solutions under the climate of COVID-19: scoping review. J Med Internet Res. Apr 20, 2021;23(4):e21747. [FREE Full text] [CrossRef] [Medline]5-Straw I, Brass I, Mkwashi A, Charles I, Soares A, Steer C. Insights from a clinically orientated workshop on health care cybersecurity and medical technology: observational study and thematic analysis. J Med Internet Res. Jul 11, 2024;26:e50505. [FREE Full text] [CrossRef] [Medline]7]. In 2019, an Alabama hospital was locked out of its computers for 8 days, unable to access patient records, locate staff, or monitor fetal heartbeats, cutting doctors and nurses off from critical patient information, equipment, and resources [Suit blames baby’s death on cyberattack at Alabama hospital. AP News. Oct 01, 2021. URL: https:/​/apnews.​com/​article/​technology-business-health-alabama-lawsuits-68c78e9d6af359842c0e9645b4577b50 [accessed 2023-10-20] 8]. At the time of this writing, there is an ongoing lawsuit alleging that the ransomware attack led to the death of an infant, as it obscured access to fetal heartbeat monitoring that would have alerted the attending physician that the umbilical cord had wrapped around the infant’s neck during delivery, resulting in severe brain damage and the death of the infant 9 months later—an outcome the lawsuit claims could have been prevented had the physician performed a lifesaving cesarean section [Poulsen K, McMillan R, Evans M. A hospital hit by hackers, a baby in distress: the case of the first alleged ransomware death. The Wall Street Journal. Sep 30, 2021. URL: https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116 [accessed 2023-10-22] 9,McGrath K. Mobile mother suing Springhill Medical Center over newborn's death, blames cyberattack. NBC 15 News. Oct 02, 2021. URL: https:/​/mynbc15.​com/​news/​local/​mobile-mother-suing-springhill-medical-center-over-newborns-death-blames-cyberattack [accessed 2023-10-22] 10]. Another example highlighted by the Washington Post is a ransomware attack in September 2020 that targeted Düsseldorf University in Germany, subsequently impacting a hospital that was connected to the university’s information system [German hospital hacked, patient taken to another city dies. The Washington Post. Sep 17, 2020. URL: https:/​/www.​washingtonpost.com/​world/​europe/​german-hospital-hacked-patient-taken-to-another-city-dies/​2020/​09/​17/​ed06e6ee-f8dd-11ea-85f7-5941188a98cd_story.​html [accessed 2023-10-20] 11,Ralston W. The untold story of a cyberattack, a hospital and a dying woman. WIRED. Nov 11, 2020. URL: https://www.wired.co.uk/article/ransomware-hospital-death-germany [accessed 2023-10-22] 12]. The hospital information system became inaccessible, which led to the death of a 78 year old female patient with aneurysm but had to be diverted to a hospital 1 hour away [Tidy J. Police launch homicide inquiry after German hospital hack. British Broadcasting Corporation. Sep 18, 2020. URL: https://www.bbc.com/news/technology-54204356 [accessed 2023-10-22] 13]. According to our data, these were the first documented deaths tied directly to cybersecurity events in hospital information systems, both of which were ransomware attacks [McGrath K. Mobile mother suing Springhill Medical Center over newborn's death, blames cyberattack. NBC 15 News. Oct 02, 2021. URL: https:/​/mynbc15.​com/​news/​local/​mobile-mother-suing-springhill-medical-center-over-newborns-death-blames-cyberattack [accessed 2023-10-22] 10,Ralston W. The untold story of a cyberattack, a hospital and a dying woman. WIRED. Nov 11, 2020. URL: https://www.wired.co.uk/article/ransomware-hospital-death-germany [accessed 2023-10-22] 12]. Details about the unintentional and accidental deaths of hospital patients due to ransomware attacks were relayed to the public through news stories [Suit blames baby’s death on cyberattack at Alabama hospital. AP News. Oct 01, 2021. URL: https:/​/apnews.​com/​article/​technology-business-health-alabama-lawsuits-68c78e9d6af359842c0e9645b4577b50 [accessed 2023-10-20] 8,Tidy J. Police launch homicide inquiry after German hospital hack. British Broadcasting Corporation. Sep 18, 2020. URL: https://www.bbc.com/news/technology-54204356 [accessed 2023-10-22] 13].

The media has a profound impact on the public’s understanding of issues, and extensive research in this area has revealed how media coverage influences people’s learning, knowledge, and perceptions about a particular topic [Scheufele DA, Tewksbury D. Framing, agenda setting, and priming: the evolution of three media effects models. J Commun. 2007;57(1):9-20. [FREE Full text] [CrossRef]14]. Media coverage can raise awareness about specific issues, providing explanations and “framing” to influence audiences’ understanding of the issues [Jamieson KH, Waldman P. The Press Effect: Politicians, Journalists, and the Stories that Shape the Political World. Oxford, UK. Oxford University Press; 2003. 15]. Framing is a technique that involves the use of media frames to invite audiences to view issues, actions, and events in one particular way over another, thus helping audiences to create their sense of reality [Entman RM. Framing: toward clarification of a fractured paradigm. J Commun. Dec 1993;43(4):51-58. [CrossRef]16]. Media frames, particularly news media frames, can directly impact public policy and sway public opinion [Andsager JL. How interest groups attempt to shape public opinion with competing news frames. Journal Mass Commun Q. Sep 2000;77(3):577-592. [CrossRef]17]. News media framing has been directed to the public regarding various issues and topics, such as autism, feminism, the COVID-19 pandemic, crises, and environmental issues, among others [Wendorf Muhamad J, Yang F. Framing autism: a content analysis of five major news frames in U.S.-based newspapers. J Health Commun. Mar 2017;22(3):190-197. [CrossRef] [Medline]18-Miller MM, Riechert BP. Interest group strategies and journalistic norms: news media framing of environmental issues. In: Environmental Risks and the Media. Milton Park, UK. Routledge; 2000. 22].

Ransomware attacks on health care providers have demonstrated that cybersecurity threats have the potential to be severe public health threats. These events have proven to be targeted operational disruptions compared to other types of cybersecurity events, such as data breaches [Gordon WJ, Fairhall A, Landman A. Threats to information security - public health implications. N Engl J Med. Aug 24, 2017;377(8):707-709. [CrossRef] [Medline]23,Chen PH, Bodak R, Gandhi NS. Ransomware recovery and imaging operations: lessons learned and planning considerations. J Digit Imaging. Jun 2021;34(3):731-740. [FREE Full text] [CrossRef] [Medline]24]. Operational disruptions occur predominantly through the unavailability of health informatics systems, including electronic health records (EHRs), practice management software, patient portals, electronic billing and scheduling systems, and electronic communications between health care professionals and patients, which are essential to carrying out daily practice operations and meeting standards of care [Pope J. Ransomware: minimizing the risks. Innov Clin Neurosci. Dec 01, 2016;13(11-12):37-40. [FREE Full text] [Medline]25]. In the Western context, almost all health care workflows are digital and rely on robust digital infrastructures [Suleski T, Ahmed M. A data taxonomy for adaptive multifactor authentication in the internet of health care things. J Med Internet Res. Aug 29, 2023;25:e44114. [FREE Full text] [CrossRef] [Medline]26]. A ransomware attack can, therefore, have significantly negative consequences for patients, including disruption of patient care, which may consequently threaten patient outcomes [Neprash HT, McGlave CC, Cross DA, Virnig BA, Puskarich MA, Huling JD, et al. Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum. Dec 02, 2022;3(12):e224873. [FREE Full text] [CrossRef] [Medline]27]. Despite these serious risks, little research has been conducted on the use of media framing and portrayals of the impacts of ransomware events on health care providers. Although media framing has been explored in various other health care contexts [Ogbodo JN, Onwe EC, Chukwu J, Nwasum CJ, Nwakpu ES, Nwankwo SU, et al. Communicating health crisis: a content analysis of global media framing of COVID-19. Health Promot Perspect. Jul 12, 2020;10(3):257-269. [FREE Full text] [CrossRef] [Medline]20,Gozzi N, Tizzani M, Starnini M, Ciulla F, Paolotti D, Panisson A, et al. Collective response to media coverage of the COVID-19 pandemic on Reddit and Wikipedia: mixed-methods analysis. J Med Internet Res. Oct 12, 2020;22(10):e21597. [FREE Full text] [CrossRef] [Medline]28-Pahayahay A, Khalili-Mahani N. What media helps, what media hurts: a mixed methods survey study of coping with COVID-19 using the media repertoire framework and the appraisal theory of stress. J Med Internet Res. Aug 06, 2020;22(8):e20186. [FREE Full text] [CrossRef] [Medline]32] it is essential to understand the impacts of news media framing and portrayals of these events on health care practitioners, patients, and health informatics for 3 important reasons.

First, despite the plethora of industry association reports and white papers with sources of information on ransomware available to health care providers, information about the current news media landscape regarding this issue could provide health care providers with a better understanding of how to manage the publicity of these events. For instance, news stories report on how health care providers manage their health care informatics systems and how they handle cybersecurity attacks. In addition, news stories of ransomware attacks on health care providers can inform leadership on how to develop more robust operational continuity plans, as media framing used in crisis communication can provide managers with insight into how to establish appropriate crisis response strategies [Coombs WT. Choosing the right words: the development of guidelines for the selection of the “appropriate” crisis-response strategies. Manag Commun Q. May 1995;8(4):447-476. [CrossRef]33]. By understanding the role of news media on public perception through understanding media framing in the context of ransomware attacks on health care providers, crisis managers can strategize how to use publicity to minimize damage to the organization’s reputation following such an attack [Coombs WT. Protecting organization reputations during a crisis: the development and application of situational crisis communication theory. Corp Reput Rev. Sep 14, 2007;10:163-176. [CrossRef]34]. In the context of health care, news media can be used to provide reinforcements that help to maintain patient trust. In addition, news media reports describe events in laypeople’s terms, which can improve the public’s understanding of issues related to health informatics systems. In the 2019 Alabama ransomware case mentioned previously, the mother asserted in her lawsuit against the health care providers that had she been informed about the ransomware attack and the subsequent disruption of the health informatics systems, she would have opted for an alternative provider for her daughter’s birth [McGrath K. Mobile mother suing Springhill Medical Center over newborn's death, blames cyberattack. NBC 15 News. Oct 02, 2021. URL: https:/​/mynbc15.​com/​news/​local/​mobile-mother-suing-springhill-medical-center-over-newborns-death-blames-cyberattack [accessed 2023-10-22] 10], which ostensibly would have led to a different outcome.

Second, research on news media portrayal of ransomware attacks on health informatics systems is vital for frontline health care practitioners, as those practitioners who are not formal members of leadership might not be privy to information about the organization as it may be shared on a need-to-know basis, with these practitioners having to rely on news stories for information. In addition, health care providers located in close proximity to another health care provider impacted by a ransomware attack could experience impacts from that event. One study that reported increased patient traffic at a hospital due to diversions from a hospital that experienced a ransomware attack [Neprash HT, McGlave CC, Cross DA, Virnig BA, Puskarich MA, Huling JD, et al. Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum. Dec 02, 2022;3(12):e224873. [FREE Full text] [CrossRef] [Medline]27]. News stories provide health care providers with information about the extent of a nearby ransomware event, which can help them to prepare. Understanding how news stories of ransomware attacks on health care providers may be portrayed and framed by media organizations can provide practitioners within and outside the affected organization with additional insights into how to use this source of information.

Third, warfare has transitioned from the battleground into attacks on the information technology and systems of critical infrastructure organizations, such as health care providers. These types of organizations are vulnerable to nation-state and domestic attacks, with the intent being loss of life and personal harm rather than monetary outcomes. In addition to managing the direct impacts of the ransomware attack, organizations may need to manage coordinated and uncoordinated disinformation campaigns related to the event. Managing disinformation campaigns is critical, as social norms, values, organizational pressures, constraints, interest groups, stakeholders, journalist routines, ideological or political leanings, and media organizations could impact how media is framed [Scheufele DA, Tewksbury D. Framing, agenda setting, and priming: the evolution of three media effects models. J Commun. 2007;57(1):9-20. [FREE Full text] [CrossRef]14]. Importantly, disseminating misinformation and disinformation presents a significant global public health challenge [Czerniak K, Pillai R, Parmar A, Ramnath K, Krocker J, Myneni S. A scoping review of digital health interventions for combating COVID-19 misinformation and disinformation. J Am Med Inform Assoc. Mar 16, 2023;30(4):752-760. [FREE Full text] [CrossRef] [Medline]35,Chou WY, Oh A, Klein WM. Addressing health-related misinformation on social media. JAMA. Dec 18, 2018;320(23):2417-2418. [CrossRef] [Medline]36]. News media are typically viewed as a source of reliable information; however, when combined with social media, the information they disseminate may lead to unforeseen consequences on public health, patient care, and frontline practitioners. Hence, there is an urgent need to understand the use of news media framing in portrayals of ransomware attacks on health care providers during the social media era, which has compromised the public’s perceptions of the news media as an original, trustworthy source.

Objectives

In this review, we explore these knowledge gaps by evaluating media frames and their portrayals of the impacts of ransomware and denial of service attacks on health care providers through a search of top news media sources from around the world. Our research goals were as follows:

• To reveal patterns in news media framing of ransomware attacks on health care information systems
• To understand how news media portrays the impacts of health care information system ransomware attacks on patient care and health care providers
• To gain insights on media portrayals of the cybersecurity management aspects of ransomware attacks on health informatics systems

The aim of this study was to understand how news media frames and portrays the impacts of ransomware attacks on health information systems, employees, and patients.

Methods

Search Strategy

Our search strategy was guided in part by the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) 2020 [Page MJ, McKenzie JE, Bossuyt PM, Boutron I, Hoffmann TC, Mulrow CD, et al. The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. Syst Rev. Mar 29, 2021;10(1):89. [FREE Full text] [CrossRef] [Medline]37] guidelines, which is predominately used for the systematic review of research studies and was adopted as a guide for our systematic search of news databases. It is important to clarify that our unit of analysis is news articles, not research studies, so some parts of the protocols may not be applicable. Multimedia Appendices 1 and Argyridou E, Nifakos S, Laoudias C, Panda S, Panaousis E, Chandramouli K, et al. Cyber hygiene methodology for raising cybersecurity and data privacy awareness in health care organizations: concept study. J Med Internet Res. Jul 27, 2023;25:e41294. [FREE Full text] [CrossRef] [Medline]2 contain the research protocols for PRISMA-S: an extension to the PRISMA statement for reporting literature searches in systematic reviews and standards for reporting qualitative research.

On September 15, 2023 we conducted a comprehensive literature search of 3 news databases, from their inception until the date of the search: Access World News, also referred to as NewsBank; Newspaper Source; and the Associated Press Newswire. September 15, 2023 was used as the cut-off date for identified records. Access World News collates news articles from over 3500 sources worldwide, including transcripts from television news stories [Newsbank homepage. NewsBank. URL: https://www.newsbank.com/about-newsbank [accessed 2024-08-06] 38]. Newspaper Source provides cover-to-cover full text for hundreds of US, international, and regional newspapers, television, and radio news transcripts from major networks [Newspaper source. EBSCO Information Services. URL: https://www.ebsco.com/products/research-databases/newspaper-source [accessed 2024-08-06] 39]. Some subscriptions of Newspaper Source may include the Associated Press Newswire database. The Associated Press Newswire is a full-text database that contains harvested news from the Associated Press, and when the user clicks a link to a news story, they are sent to the original article [What is the Newswire? EBSCO Industries. URL: https://connect.ebsco.com/s/article/What-is-the-Newswire?language=en_US [accessed 2024-08-06] 40]. We used the following search string to ensure an exhaustive and broad but relevant return of records: “(hospital OR healthcare OR clinic OR medical) AND (ransomware OR denial of service OR cybersecurity).” To ensure that only the most relevant results were returned, we searched all the text within articles obtained from Newswire and Newspaper Source and searched only the lead or first paragraph of articles obtained from Access World News. An English language filter was applied to all database searches. The default settings were used for all other database settings, including the Year filter, and no additional search filters or constraints were applied. We used the term “news articles” to refer to all news media, including radio and television news transcripts, if they were stored in an article format and in the news databases. Duplicate records were removed manually and by Covidence (Veritas Health Innovation Ltd) systematic review software.

Inclusion and Exclusion Criteria

Inclusion criteria were developed before our database search. Specific inclusion criteria included (1) articles in the English language; (2) articles with full text available; (3) articles containing a health care provider context, noted as articles related to a hospital, doctors, nursing staff, clinics, nursing homes, medical practitioners, nutritionists, and dieticians; and (4) ransomware or denial of service attack. To eliminate irrelevant articles, the specific exclusion criteria were (1) articles unrelated to a specific health care provider or unrelated to a ransomware or denial of service attack, (2) articles that primarily focused on the promotion or advertisement of a product or consulting service, (3) articles unrelated to a specific ransomware or denial of service attack, or (4) articles with only broad discussions of health care and ransomware or denial of service attacks. Examples of excluded articles are ones that included discussions on pure data breach events or medical device vulnerabilities. First, 2 of the authors, AA and BW, independently screened titles and abstracts of all news articles for eligibility in duplicate. Next, the full text of the remaining news articles was examined to determine if the articles met the inclusion criteria. Next, articles that were not relevant based on the exclusion criteria were excluded. Any disagreements between AA and BW were discussed until they were resolved.

Data Extraction and Coding

Data extraction and coding of news articles was performed between September 16, 2023 and January 21, 2024. First, we extracted the news media characteristics from each article to include the (1) focal health care provider organization, (2) country, (3) year, (4) attack type, and (5) perspective. Detailed characteristics extracted from each news story are present in

Multimedia Appendix 3

Detailed extracted characteristics for each news story.

In addition, we used a collaborative qualitative analysis (CQA) method as outlined in the study by Richards and Hemphill [Richards KA, Hemphill MA. A practical guide to collaborative qualitative data analysis. J Teach Phys Educ. 2018;37(2):225-231. [CrossRef]43], which was used for both inductive and deductive qualitative research. The benefits of CQA include the integration of perspectives to increase trustworthiness and the counteraction of individual bias by multiple researchers. In total, 4 authors participated in the CQA, including AA, BW, IA, and DG. EWB assisted with the interpretation of the results. The authors of this study are from diverse backgrounds, and each offer a unique perspective to the research study, which is why we applied CQA. The research team included a laboratory scientist (BW); an emergency room physician who is also a full-time computer science master’s student specializing in artificial intelligence and cybersecurity (IA); an information systems researcher holding CompTIA Security+ and Certified Information Systems Security Professional Certification (AA); a seasoned former systems engineer turned information systems doctoral student (DG); and an expert on the adoption, safety, effectiveness, and design of medical mobile app tools, such as clinical decision support systems and patient self-care systems, working at the intersection of health care and cybersecurity (EWB).

AA, BW, IA, and DG were involved in the CQA process and followed the recommendations to (1) perform a 6-phase qualitative analysis process, (2) develop rapport among researchers before the start of the analysis, (3) reinforce that all researchers made a valuable contribution and their perspectives are valued, and (4) provide a constant comparison of newly coded data with previously coded data to modify generative themes in light of challenging or contradictory data.

Specifically for our inductive approach, 2 authors, AA and BW, extracted the impacts from each of the 48 articles after extracting the news article characteristics, cross-checking their extractions for completeness, and frequently debriefing the information. The extraction focused on ensuring a complete description of the impacts. Next, a third author, IA, cross-checked the extraction of impacts against the articles to derive coherent notes. The initial 2 authors, AA and BW, then conducted a final review of the impact notes from IA. Notes related to the extraction of impacts are located in

Multimedia Appendix 4

Notes related to the extraction of impacts.

Next, AA, BW, IA, and DG used a deductive approach to code the news articles for media frames according to the media framing categories developed by Semetko and Valkenburg [Semetko HA, Valkenburg PM. Framing European politics: a content analysis of press and television news. J Commun. Jun 2000;50(2):93-109. [CrossRef]44], which included “conflict,” “human interest,” “economic consequences,” “morality,” and “responsibility” frames. To begin the deductive coding process, AA, BW, IA, and DG selected a random sample of 5 articles that they independently coded. AA, BW, IA, and DG then debriefed and resolved any disagreement before each researcher independently coded the remaining articles in duplicate. AA, BW, IA, and DG used an iterative process of debriefing and resolving conflicting frames based on the coding dictionary depicted in Table 1, until a consensus was reached [Richards KA, Hemphill MA. A practical guide to collaborative qualitative data analysis. J Teach Phys Educ. 2018;37(2):225-231. [CrossRef]43]. AA, BW, IA, and DG each documented their rationale for assigning one or more media frames to an article. AA, BW, IA, and DG combined and summarized notes (frame code summary notes) from the coding process and the subsequent discussions to facilitate this. Then, AA, BW, IA, and DG documented the initial frame code summary notes for each article. Next, AA, BW, IA, and DG ensured the completeness and accuracy of the frame code summaries, cross-checking with each other as necessary. The final media frames assigned to each article are presented in

Multimedia Appendix 5

The final media frames assigned to each article.

The National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF) 2.0 is intended for organizations of all sizes and industries, regardless of cybersecurity or technical maturity levels. It is noted that the NIST CSF 2.0 should be used alongside a broader enterprise or organizational risk management program. The NIST CSF 2.0 is intended to be widely understood by a wide range of stakeholders, regardless of their cybersecurity background. The NIST CSF 2.0 has 6 core functions: govern, identify, protect, detect, respond, and recover. Govern is at the center of the framework, as it details how the other core functions should be implemented. Referencing the NIST CSF 2.0 [The NIST cybersecurity framework (CSF) 2.0. National Institute of Standards and Technology. Feb 26, 2024. URL: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf [accessed 2024-08-06] 45], the authors AA, BW, and DG extracted details about the core cybersecurity functions of governance, identify, protect, detect, respond, and recover from each of the 48 articles, cross-checking their extractions for completeness, and frequently debriefing.

Ethical Considerations

No human participants were involved in this study. All extracted data are anonymous or deidentified. All the study data involved are publicly available and published news articles are present in accessible library databases.

Results

Extracted News Media Characteristics

In total, 2195 news articles were returned from our keyword search. Of the 2195 articles returned, 48 news articles were included in our final analysis. The PRISMA diagram is provided in Figure 1. The primary news media characteristics are shown in Table 2; additional characteristics of interest are provided in

Multimedia Appendix 3

Detailed extracted characteristics for each news story.

‎

Media Portrayals of Impacts

Full articles are located in

Multimedia Appendix 6

News articles with article ID merged in one file.

Secondary impacts stemming from the unavailability of one or more components of a health care provider’s information technology infrastructure include the inability to access patient records or send messages, the inability to accept patients, the need for patient diversion, and, in one case, the permanent shutdown of an entire medical practice (see article ID #16 in

Multimedia Appendix 6

News articles with article ID merged in one file.

Tertiary impacts from ransomware attacks on health care entities include delays and denial of patient care; financial consequences for the organization, patients, and, in some cases, employees; and the potential for an increase in errors. Other more intangible impacts include strain on hospital staff and employees. Figure 2 depicts the cascading impacts from ransomware attacks on health care entities.

‎

Media Frames

Table 3 presents the results of our analysis of media frames. Discussions among the coders allowed us to address reliability and validity concerns. Although news articles could be tagged with >1 media frame code, only about 11 of 48 (23%) news articles were annotated with more than one media frame. The most representative media frames were the human interest and responsibility frames, which were equally represented in the corpus of news articles. News articles with the human interest media frame focused prominently on specific impacts on patient care, which included poignant descriptions. Most of the articles with the responsibility frame focused on swift actions that health care providers took immediately after an event. The remaining media framing around responsibility centered on government action or the attribution of the ransomware attack to a specific perpetrator.

Media Portrayals Based on NIST CSF 2.0

Table 4 depicts the media portrayals of ransomware management phases for health care informatic systems and the percentage of articles corresponding to each NIST CSF 2.0 core function.

We found that approximately 36 out of 48 (75%) news articles discussed the organization’s response or lack thereof to the unavailability of health informatics systems during a ransomware attack. In addition to official statements regarding the ransomware events, details on organizational response were also provided directly from employees and patients who had direct contact with news media organizations. In addition, we found that almost 19 out of 48 (40%) news articles discussed health informatics continuity with descriptions of resorting to pen and paper, manual processes, and diversion to other health care providers when the health informatics system was unavailable.

Multimedia Appendix 7

Media portrayals of health care informatics systems based on National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF) 2.0. Core functions contain a detailed article ID coding crosswalk for each NIST CSF 2.0 core function.

Discussion

Principal Findings

This study involved a systematic review of news articles to examine media frames and portrayals of the impacts of ransomware events on health care providers. Our findings provide insights into how to manage the health care informatics artifact, employees, and patients during a ransomware event. The 5 principal findings from this study were centered on news media characteristics, year-to-year patterns, points of failure, cascading impacts, and media frame predominance, findings that could shed light on important implications for the management of health services, including improving the quality, guiding governance, or providing insight into cybersecurity policymaking in health information technology.

First, our analysis of the geographic prevalence showed that 34 of 48 (71%) news articles from the United States, followed to a lesser extent by India with 4 (8%) news articles, and 3 (6%) news articles from Canada, featured prominently in our sample. While data on geographic significance are important, our finding was likely the result of constraining the search to English language articles; however, it is possible for the same article to be written in another language. It is also important to note that the size and economic impact of the US health care sector are also potential factors that contributed to this finding. Further research is needed to determine if this pattern holds true in a search that expands beyond English-language articles, which could lead to insights into the global significance of ransomware attacks on health care information systems. As emerging economies digitize their health care systems, it will be important to understand the role of news media if and when adverse events occur and how the use of media frames impacts local perceptions of patient care in different locations around the world.

Second, there are no apparent year-to-year patterns regarding news articles about ransomware events on health care providers. In other words, our sample showed no upward or downward pattern in media coverage of ransomware attacks on health care providers. However, there were 2 spikes in the year-to-year patterns. The first spike occurred between 2016 and 2017, which could be explained by the Hollywood Presbyterian and the Heritage Valley Health system attacks (see

Multimedia Appendix 6

News articles with article ID merged in one file.

Third, during our analysis, we found that health informatics system failures were caused by a single point of failure, which led to other cascading failures that were linked to adverse patient outcomes. Initially, the secondary and tertiary impacts stemming from a single ransomware event included impacts on patient care, errors, and strain on employees, among others. Figure 3 presents an exemplary depiction of a ransomware attack’s pathway of impact on a health care provider. It is important to note that strain on staff does not always lead to adverse patient outcomes. It is possible for the staff to absorb any potential shocks to patients.

Legally, health care organizations are to take immediate action and provide transparent communication on ransomware attacks in their aftermath [Summary of the HIPAA privacy rule. U.S. Department of Health and Human Services. URL: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html [accessed 2024-08-06] 49]. However, there is some variance in the mandatory reporting of ransomware attacks as required by the Office of Civil Rights under the Health Information Technology for Economic and Clinical Health Act, for which designated privacy officers must disclose these types of attacks. Walden et al [Walden A, Cortelyou-Ward K, Gabriel MH, Noblin A. To report or not to report health care data breaches. Am J Manag Care. Dec 01, 2020;26(12):e395-e402. [FREE Full text] [CrossRef] [Medline]50] provide an in-depth discussion of this phenomenon. Organizations are not required to report attacks classified under the Health Information Technology for Economic and Clinical Health guidelines at low exposure of personal health information (PHI). In addition, there may be uncertainty about the reporting duty when ransomware encrypts PHI data rather than removing it during the attack. Furthermore, current reporting requirements lack any enforcement mechanism or penalty for noncompliance, which has led to estimates that up to 20% of ransomware attacks go underreported [Gozzi N, Tizzani M, Starnini M, Ciulla F, Paolotti D, Panisson A, et al. Collective response to media coverage of the COVID-19 pandemic on Reddit and Wikipedia: mixed-methods analysis. J Med Internet Res. Oct 12, 2020;22(10):e21597. [FREE Full text] [CrossRef] [Medline]28]. When these attacks are reported, the current reporting requirements specify only a very limited amount of information, which ultimately affects the objective data that media organizations can use to report ransomware attacks [Gozzi N, Tizzani M, Starnini M, Ciulla F, Paolotti D, Panisson A, et al. Collective response to media coverage of the COVID-19 pandemic on Reddit and Wikipedia: mixed-methods analysis. J Med Internet Res. Oct 12, 2020;22(10):e21597. [FREE Full text] [CrossRef] [Medline]28]. This potential lack of transparency on the part of the health care service providers becomes a liability when affected individuals are looking for information on how an attack that has exposed their PHI impacts them, often turning to the media for more guidance and information.

‎

As mentioned previously, the type of initial point of failure in a health informatics system significantly varied among the news articles. However, this may have been caused by different terms used to describe the same type of event, which raises the question of whether standardization in vocabulary is needed for media reporting of these kinds of events. With a standardized vocabulary, organizations can accurately describe the ransomware or denial of service attack. In one study, researchers noted that hospitals had significantly lower cybersecurity ratings than Fortune 500 companies and were statistically vulnerable to botnets, spam, and malware, highlighting the need for further research on the types of attacks health care systems experience and whether those events have been accurately described using the correct terminology [Choi SJ, Johnson ME. The relationship between cybersecurity ratings and the risk of hospital data breaches. J Am Med Inform Assoc. Sep 18, 2021;28(10):2085-2092. [FREE Full text] [CrossRef] [Medline]51]. Future research is needed to elucidate the potential benefits of using a standardized vocabulary.

Fourth, we found the human interest and responsibility media frames were equally predominant at each representing approximately 15 of 48 (31%) news articles. In addition, almost 11 of the 48 (23%) news articles had co-occurring media frames, with human interest and responsibility commonly occurring together, followed by the co-occurrence of human interest and economic consequences. When considering the challenges of developing adequate cyber defense strategies against ransomware attacks to be a sociotechnical problem, one that involves people, organizations, and technology, the social component of cyber defense will incorporate aspects of human interest and responsibility rather than just addressing the technical sophistication of security when communicating about the impacts of ransomware attacks. This aligns with the fact that 36 out of 48 (75%) news articles focused on the organization’s response to the ransomware event, and almost 19 out of 48 (40%) news articles focused on recovery in the context of the unavailability of the health care informatics artifact. By knowing the media frames that are commonly used in media coverage of ransomware attacks, health care providers can strategically address these areas of common interest and influence media publicity to their advantage.

The prevalence of responsibility media frames indicates that perceptions of continuity of service during a ransomware attack are important to manage, so further research is needed to understand the measures health care providers can take to address concerns about responsibility. For example, health care providers can demonstrate their organizational cyber resilience—the ability to return to full operational capacity after an unplanned outage—by communicating that the organization is taking responsibility for the patient experience and offer reassurance to patients and health care practitioners that their experiences have been heard and acknowledged. Organizational cyber resilience (business continuity or disaster recovery) is achieved through strong cybersecurity attack prevention, detection, and recovery measures [Tsen E, Ko RK, Slapnicar S. An exploratory study of organizational cyber resilience, its precursors and outcomes. J Organ Comput Electron Commer. 2022;32(2):153-174. [CrossRef]52]. As part of an organization’s disaster recovery or business continuity planning, health care organizations with strong, effective governance structures in place developed an incident response plan, which typically will include a communications or media strategy for cybersecurity attacks. For a health care provider, this will also include specific response strategies for managing impacts of a cybersecurity attack on their health care informatics systems technology. Knowing the prevalence of media frames in news publicity after a cybersecurity attack and the importance of clear and accessible communication could facilitate effective crisis management [Netten N, van Someren M. Improving communication in crisis management by evaluating the relevance of messages. J Contingencies Crisis Manag. Apr 07, 2011;19(2):75-85. [CrossRef]53,Palttala P, Vos M. Quality indicators for crisis communication to support emergency management by public authorities. J Contingencies Crisis Manag. Oct 24, 2011;20(1):39-51. [CrossRef]54]; therefore, incorporating strategies for harnessing news media as a communications tool for crisis management could become an integral part of a health care provider’s incident response planning process. These contingency plans for responding to a cyberattack of a health care system should include communications that proactively address issues that are of priority concern for most people, which our findings indicate are the impacts to human components—the patients, the providers, staff, and the organization itself. Further studies are needed to validate these findings and measure the efficacy of influencing the use of media frames to reassure the public about the organization’s response to the human interest impacts of ransomware attacks on health care information systems.

Fifth, we found during our data screening process that approximately 14% (17/48) of full-length articles assessed for eligibility and excluded from this study appeared to promote a product or consulting service or spoke hypothetically about ransomware events among health care providers, specifically to events that had not yet occurred, in a phenomenon known as cyber doom [Lawson S. Beyond cyber-doom: assessing the limits of hypothetical scenarios in the framing of cyber-threats. J Inf Technol Politics. 2013;10(1):86-103. [CrossRef]55]. This pattern is concerning and warrants further investigation to understand the implications of irresponsible news media coverage and its implications on public health and health care provider perceptions. Health care organizations may need to implement a concerted effort to reduce cyberdoom news articles that could potentially lead to misinformation regarding health care service providers.

Limitations

This paper has several limitations pertaining to our interpretation of the results that can guide future research. First, the article selection process may have been influenced by selection bias due to multiple news articles referring to the same incident, as well as the inability to include any relevant news articles that were not stored in the academic news databases or were not returned using the systematic article search and filtering process. Only news articles that strictly followed the PRISMA processes were included in the analysis. Another latent source of potential bias is that many ransomware attacks may have gone unreported, such as in cases where the health care provider discreetly pays the ransom rather than risk adverse publicity or lawsuits surrounding adverse patient outcomes. In other words, the smaller sample we evaluated may represent only the tip of the iceberg. Therefore, further studies are needed to address these potential biases, such as conducting anonymous surveys to elucidate information gaps related to unreported events of ransomware attacks.

Second, our research design depended on the number of news article stories rather than the number of incidences of ransomware attacks. Although there may have been multiple articles reporting on the same incident, different journalists may have focused on different media framings and NIST security functions. Our framework accounted for the fact that the public may not see every article published on a specific story; on the other hand, the public may search for additional information from varied sources. In both scenarios, how an incident is reported may reflect different media framing and portrayals used for the same incident, which is the broader intent of our research study.

Third, insights into ransomware attacks should be interpreted with caution. Journalists and news outlets may not correctly use the correct or standardized vocabulary terms; for example, they may confuse a ransomware attack mechanism (eg, Trojan) with an intention (eg, ransom). Some of our characterizations that is, impacts and portrayals, are limited by the information available in each article, which may have obscured the accuracy of the terms used. We did not search for specific details, such as attack mechanisms, as general terms used for news reporting are usually vague and inconclusive. We attempted to be as consistent as possible given the source material but also careful not to mischaracterize what was reported based on our subjective understanding to reduce the risk of inferring information that was not reported. More studies are needed because of the subjective element in interpreting news media reports, especially as more articles on ransomware attacks become available.

Future Research

Health care providers should consider novel strategies to reduce connections in the impacts pathway. Many health care providers continue to be caught off guard by ransomware attacks on their health care informatics systems. In developing contingency plans, considerations should be made for perception management of the impacts of these events on patient care and employee and staff well-being. This is particularly important for health care organizations that are already experiencing other problems such as burnout or understaffing [West CP, Dyrbye LN, Erwin PJ, Shanafelt TD. Interventions to prevent and reduce physician burnout: a systematic review and meta-analysis. The Lancet. Nov 05, 2016;388(10057):2272-2281. [CrossRef]56], where other IT stressors [Golz C, Peter KA, Müller TJ, Mutschler J, Zwakhalen SM, Hahn S. Technostress and digital competence among health professionals in Swiss psychiatric hospitals: cross-sectional study. JMIR Ment Health. Nov 04, 2021;8(11):e31408. [FREE Full text] [CrossRef] [Medline]57,Bahr TJ, Ginsburg S, Wright JG, Shachak A. Technostress as source of physician burnout: an exploration of the associations between technology usage and physician burnout. Int J Med Inform. Sep 2023;177:105147. [CrossRef] [Medline]58] in addition to ransomware and denial of service attacks could be the tipping point in work satisfaction and retention measures. In one study, Zhao et al [Zhao JY, Kessler EG, Yu J, Jalal K, Cooper CA, Brewer JJ, et al. Impact of trauma hospital ransomware attack on surgical residency training. J Surg Res. Dec 2018;232:389-397. [CrossRef] [Medline]59] conducted a survey of staff impacts from ransomware attacks on a trauma center by focusing on surgical residents whose adverse outcomes lasted for 2 months. The study found that resident physicians providing trauma patient care experienced significant stress, and resident physicians who were competent in digital processes had a difficult time adapting to manual processes, which caused attending surgeons to put forth additional effort to become effective teachers under those unusual circumstances. Such risk factors impact the adoption of new IT systems, as one study found that ransomware was a key security factor deterring IT adoption among doctors and nurses, because clinicians have experienced the interference of ransomware attacks in their daily work processes and their ability to provide quality patient care [Zhan Y, Ahmad SF, Irshad M, Al-Razgan M, Awwad EM, Ali YA, et al. Investigating the role of cybersecurity's perceived threats in the adoption of health information systems. Heliyon. Dec 03, 2023;10(1):e22947. [FREE Full text] [CrossRef] [Medline]60].

In addition, there is growing evidence from clinical practice and research that ransomware attacks impact patient morbidity and mortality. Ghafur et al [Ghafur S, Kristensen S, Honeyford K, Martin G, Darzi A, Aylin P. A retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digit Med. Oct 02, 2019;2:98. [FREE Full text] [CrossRef] [Medline]61] analyzed the negative outcomes of the National Health Service in Great Britain after the 2017 WannaCry ransomware attack. They found that although there were no statistically significant differences in mortality rates compared to the baseline, there was an economic impact of £5.9 million (US $7.7 million). They noted that more research is needed to analyze the adverse outcomes of ransomware attacks on patient care delivery and safety. However, Choi and Johnson [Choi SJ, Johnson ME. Do hospital data breaches reduce patient care quality? arXiv. Preprint posted online on April 3, 2019. 2025. [FREE Full text] [CrossRef]62], who conducted a statistical analysis of hospital data breaches (not including the impacts of denial of service or ransomware attacks), found that even data breaches with seemingly no connection to patient care were associated with a statistically significant difference in mortality when using a 30-day mortality rate measure. Furthermore, the authors found that the financial costs of mitigating a breach event may negatively impact patient care due to the diversion of resources. Dameff et al [Dameff C, Tully J, Chan TC, Castillo EM, Savage S, Maysent P, et al. Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Netw Open. May 01, 2023;6(5):e2312270. [FREE Full text] [CrossRef] [Medline]63] studied 2 urban emergency departments and showed that the impact of significant operational disruption in the wake of a ransomware attack at one hospital resulted in increases in the patient census, number of patients who left without being seen, and the total length of stay, among other metrics at nontargeted hospitals regionally. The existing reports of serious impacts to patient quality of care and overall survival indicate there is an urgent need to minimize the negative impacts of ransomware attacks on patient outcomes. Further studies are needed to uncover innovative strategies for responding more effectively to ransomware attacks, such as the possibility of considering an isolated ransomware attack of one health care facility’s information system to be a regional disaster, which could trigger a coordinated response among neighboring facilities. Understanding how news media can be used to support crisis management during ransomware attacks on health care information systems could lead to coordinated efforts and community support rather than lawsuits and backlash, which in turn could lead to better outcomes for patients who are impacted by these events.

Conclusions

Using a CQA, the aim of this study was to elucidate the function of news media frames and portrayals of the impacts of ransomware attacks on health informatic systems, employees, and patients in the context of the NIST CST 2.0 framework. We found that the core function of organizational response was significantly represented in news media portrayals of ransomware attacks. We identified indicators suggesting that health care providers should manage perceptions of ransomware attacks to ensure (1) a perception of continuity of health care service despite the unavailability of health informatics, (2) a perception of taking responsibility for the patient experience, and (3) acknowledgment of strain on health care practitioners and patients through a public declaration of support and gratitude. However, future studies are needed to guide the implementation and validate the efficacy of these potential strategies. We discovered from the media portrayals that there was a pattern in cascading impacts from a single point of failure, which indicates that cybersecurity management should address single points of failure to reduce cascading impacts, although future studies are needed to verify this finding.