Despite growing awareness and widespread acknowledgment of the impact of cyber threats facing the healthcare industry, many within it are still struggling to keep them at bay.
Recent years have seen providers and other healthcare institutions at the mercy of nation-state hackers and opportunistic cyber criminals. As well as hammering bottom lines, such attacks have eroded trust and, at times, put lives at risk.
The third annual Ponemon Institute Report, commissioned by Proofpoint, found that 92% of US healthcare organizations surveyed experienced at least one cyber attack in the past 12 month, with almost 70% reporting disruption to patient care due to cyber attacks. Among the organizations that suffered the four most common types of attacks, cloud compromise, ransomware, supply chain, and business email compromise (BEC):
- 56% reported poor patient outcomes due to delays in procedures and tests
- 53% saw an increase in medical procedure complications
- 28% say patient mortality rates increased
Unfortunately, this year’s report confirms an inconvenient truth for the healthcare sector: awareness does not always translate into preparedness.
It’s clearer than ever: cyber risk is patient risk…
While any attack that impedes a healthcare provider’s ability to deliver care is clearly harmful to patients, several threats stand out as causing the most disruption.
Supply chain attacks lead the way. Among the 648 information technology and security practitioners surveyed, 68% of respondents said their organizations had an attack against their supply chains in the past two years. A concerning 82% said it disrupted patient care, an increase from 77% in 2023.
Meanwhile, BEC is most likely to result in poor patient outcomes due to delayed procedures, closely followed by ransomware. The latter is also most likely to lead to longer stays in healthcare centers as well as an increase in patients diverted to other facilities.
Despite the severe impact of ransomware on healthcare institutions, just over half (54%) believe they are vulnerable or highly vulnerable to ransomware attacks, down from 64% last year.
While this confidence may be due, in part, to a decline in the number of organizations paying ransoms, security teams should take note that payment values are on the up. In 2024, the average ransom payment was $1,099,200 compared to $995,450 the previous year.
Another difficult consideration for the healthcare industry is that its people, whether intentionally or not, are putting patients at risk. Some 92% of organizations suffered a data loss incident at least twice in the past two years. Around half impacted patient care, and of those, 50% experienced increased mortality rates and 37% saw poorer outcomes due to delays to procedures or tests.
On average, surveyed organizations experienced 20 data loss and exfiltration incidents in the past two years with employees the root cause. Not following security policies (31%), accidental data loss (26%), staff sending sensitive information to unintended recipients (21%) were the top three culprits.
…so cyber safety is patient safety
It may once have been dismissed or diminished as hyperbole. But the stats speak for themselves – the behavior of your people can put your patients at risk. The upside, however, is that good security habits go a long way to keeping them safe.
Even simple behaviors like setting strong passwords, adhering to device policies and avoiding malicious links and attachments can protect healthcare organizations, and those they care for, from significant disruption. Or worse.
Unfortunately, while increasing numbers of organizations say they are educating their staff on security risks, many programs are falling short. Over two-thirds (71%) say they take steps to address the risk of employees’ lack of awareness about cybersecurity threats (up from 65% in 2023), yet just 59% conduct regular training and awareness programs.
Many are turning to AI to improve security posture and supplement education and awareness initiatives. Over half (54%) have embedded it in cybersecurity and 57% say it has been very effective in improving security posture. However, the latest tools and technology count for little without targeted, in context and ongoing security training.
Ultimately, healthcare staff at every level must understand the consequences of their actions. Even the most minor behaviors, such as an errant click or download, can leave organizations open to BEC, ransomware and insider attacks. The result is disruption to care and potentially devastating consequences for patients.
The more people care about security, the more efficiently they can deliver care for patients. And healthcare organizations must do everything in their power to equip every member of their staff with the tools, skills and education to tackle a task of such magnitude.
Learn more
Want to learn more about this year’s findings? Download the Ponemon Institute report, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024.