K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 7
are a vulnerable part of the cybersecurity system. Staff burnout, distraction, fatigue, and an excessive number of emails in an inbox can negatively impact a person’ s ability to recognize phishing attempts [ 10, 33 ]. All of these are common features amongst health professionals. Things that increase a staff member’ s ability to handle phishing attempts are time, education, personal experience, and repetition of testing [ 8, 10 ]. So while nurses, doctors, and perfusionists are in charge of patient care, cybersecurity is increasingly becoming a patient safety concern that these individuals are not equipped to deal with.
Why should perfusionists be concerned about cybersecurity?
The ramifications of a cyberattack on a hospital are varied. Depending on the type of attack( Tab. 1), different hospital systems may be affected. In the case of ransomware, a hospital’ s data and daily functions are held hostage through encryption of the hospital’ s data until a sum is paid to the attackers, usually in a cryptocurrency such as bitcoin. Ransomware is an increasingly common goal of cybercriminals and causes a denial of access to patient information and electronic charting. This may include the perfusion record and intraoperative documentation. Forced downtime like this compromises patient care through lack of access to critical information such as patient allergies, medications, and comorbidities [ 3 ]. Perfusionists and other operating room staff who do not regularly use paper charting may have a difficult time adapting on the fly, and the reconciliation of paper into electronic records after the attack is over can also be a significant burden. Incoming patients may be diverted away from impacted hospitals, causing delays in care, and canceled appointments can be difficult to reschedule [ 2 ].
One study by Choi et al found that there was an increase in the 30-day mortality rates of acute myocardial infarction( AMI) patients after hospital PHI is breached. Data breaches have been shown to effectively erase a year’ s worth of improvements on AMI mortality rates at impacted hospitals [ 15 ]. The implementation of remediation can take two to four years to complete, meaning that the time until a hospital’ s quality of cybersecurity improves can take that long as well. Meanwhile, the remediation process can involve training time with new systems, which slows the hospital’ s workflow in the short term [ 15 ]. The faster a hospital needs to respond to a data breach, the more expensive it tends to be, and the longer the remediation process is, the more it costs as well [ 14 ]. It is not just the cost of a ransom payment, but also the loss of business during downtime, the postbreach response, the damage to the institution’ s reputation that drives away the patient base, and the legal ramifications of compromising patient confidentiality [ 14 ].
Larger teaching hospitals are more likely to be subject to data breaches, which have been attributed to many reasons [ 10, 15 ]. There is more patient data to be gained by attackers, larger facilities with more equipment, more end users with access who may not have sufficient training or motivation to be secure, and more frequent staff turnover, particularly with residents and fellows cycling through the institution [ 15 ]. That does not mean that smaller hospitals are more secure, as there is the consideration of smaller IT teams and tighter budgets for system upgrades and new equipment in smaller hospitals.
Patient impact is also important. The effects of identity theft and credit card fraud committed with stolen data can be weathered by some individuals, but not all. Low-income or fixedincome homes are often disproportionately affected by data breaches. Similarly, vulnerable communities like children, people of color, or the elderly are also less able to recover from these costs [ 34 ]. For communities of color that already have a deep-rooted distrust in the healthcare system, fallout from a data breach can reinforce existing biases and reduce the use of lifesaving services. When children are affected, it can impact their future education by reducing eligibility for student loans or pushing them into predatory loans where there may be even more long-lasting financial consequences [ 34 ]. There are also legal or social consequences of health records leaking that could disproportionately affect women and marginalized individuals in certain regions of the United States.
Education and training of healthcare employees, including perfusionists, is necessary to improve cybersecurity across the board, but there is almost no consensus on how to do this effectively [ 8 ]. Employee engagement in training improves with material tailored to their proficiency levels and technical needs [ 5, 10 ]. Perfusionists should know common sources of cybersecurity risk in their field, such as legacy medical devices and phishing emails. Shared ownership of responsibility for cybersecurity helps maintain resilience in this constantly evolving field [ 5, 10 ].
Without employee buy-in, people will find workarounds for whatever is most cumbersome, bypassing security because they do not understand its necessity, and because ease of access is important in many healthcare situations [ 3, 6, 9 ]. To protect the integrity of both the hospital network and patient data, perfusionists need to know how to identify suspicious emails and have a clear understanding of their hospital’ s data handling policy [ 4 ]. Perfusionists need to be empowered to view their space with an eye for digital security. In case their hospital was to become the target of a cyberattack, perfusionists should also be able to revert to paper documenting and be able to provide patient support without connected technology. They should also know that third-party vendors can be affected by cybercrimes and how that could impact a perfusion team’ s day-to-day operations. Perfusionists in charge of purchasing should know what to look for in cyber-secure devices and be aware of what protections are legally required in devices. They should also know that there are ways to get involved with governmental cybersecurity policy and what training material is available for those interested.
It is easy in this day and age to look at the number of records reportedly already on the dark web or in the hands of foreign nations and jump straight to a pessimistic approach to data security, that it is already too little too late. But it is imperative to remember that this is a hidden, critical aspect of patient safety. Every new data breach is a new point of weakness in the digital health of our patients. While some individuals will have the time and resources to weather the consequences of identity theft or insurance fraud, there will always be those without those resources, for whom the fallout of a hospital data breach