Third Annual Ponemon Institute Report: Nearly Seven in 10 Healthcare Organizations Experienced Disruption to Patient Care Due to Cyber Attacks
At an average cost of $1.47 million, disruption to normal healthcare operations because of system availability problems continues to be the most expensive consequence of a cyber attack
SUNNYVALE, Calif., Oct. 8, 2024 – Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, today released the results of their third annual survey on the effects of cybersecurity in healthcare. The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024,” finds that 92% of healthcare organizations surveyed experienced at least one cyber attack in the past 12 months, an increase from 88% in 2023, with 69% reporting disruption to patient care as a result.
Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain, and business email compromise (BEC) –56% reported poor patient outcomes due to delays in procedures and tests, 53% saw an increase in medical procedure complications, and 28% say patient mortality rates increased—an increase of five percentage points over last year. These findings indicate that healthcare organizations continue to struggle with mitigating the risks these attacks pose to patient safety and well-being.
The report, which surveyed 648 information technology and security practitioners in United States healthcare organizations, found that supply chain attacks are most likely to affect patient care. More than two-thirds (68%) of respondents said their organizations had an attack against their supply chains, of which 82% said it disrupted patient care, an increase from 77% in 2023. BEC leads the group of attacks most likely to result in poor outcomes due to delayed procedures and tests (69%), followed by ransomware (61%), which was also most likely to result in longer lengths of stay (58%) and increase in patients diverted or transferred to other facilities (52%).
“Our third annual report was conducted to determine if the healthcare industry is making progress in reducing human-centric cybersecurity risks and disruptions to patient care,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “For the third consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing. The good news, however, is the healthcare industry seems to increasingly recognize the importance cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT practitioners indicate that budget is a challenge in keeping their organization’s cybersecurity posture from being fully effective.”
Other key findings of the report include:
- Ransomware payouts spike, even though concerns about it have declined: More than half (54%) of respondents believe their organizations are vulnerable or highly vulnerable to a ransomware attack, a decline from 64% in 2023. Organizations that had ransomware attacks (59% of respondents) experienced an average of four such attacks over the past two years. While fewer organizations paid the ransom (36% in 2024 vs. 40% in 2023), the ransom paid spiked 10% to an average of $1,099,200 compared to $995,450 in the previous year.
- Insecure mobile apps and cloud/account compromises are considered the greatest cyber threats to healthcare organizations: Concerns about insecure mobile apps (eHealth) have increased to become the top cybersecurity threat in healthcare, increasing from 51% in 2023 to 59% of respondents in 2024. Cloud/account compromise was the second biggest concern (55%), and text messaging was the most attacked collaboration tool (61%) followed by email (59%). Organizations are less worried about employee-owned mobile devices or BYOD.
- More progress needed to reduce insider risk: More than nine in ten organizations surveyed had at least two data loss or exfiltration incidents involving sensitive and confidential data within the past two years. 51% said a data loss or exfiltration incident impacted patient care; of those, 50% experienced increased mortality rates and 37% saw delays in procedures and tests that resulted in poor outcomes. Over the past two years, organizations experienced an average of 20 such incidents with employees as the primary root cause. Employee negligence because of not following policies (31%), accidental data loss (26%) and employees sending PII and PHI to an unintended recipient via email (21%) were top three.
- The lack of clear leadership is a growing problem and a threat to healthcare’s cyber security posture: While 55% of respondents say their organizations’ lack of in-house expertise is a primary deterrent to achieving a strong cybersecurity posture, the lack of clear leadership as a challenge increased significantly since 2023 from 14% to 49% of respondents. Not having enough budget decreased from 47% to 40% of respondents in 2024.
- Traditional compliance-based security training programs are falling short: Negligent employees pose a significant risk to healthcare organizations. While more organizations (71% in 2024 vs. 65% of respondents in 2023) are taking steps to address the risk of employees’ lack of awareness about cybersecurity threats, are they effective in reducing the risks? Nearly three in five respondents (59%) indicate they conduct regular training and awareness programs.
- AI and machine learning in healthcare: For the first time, the impact AI is having on security and patient care was studied. More than half (54%) of respondents say their organizations have embedded AI in cybersecurity (28%) or embedded it in both cybersecurity and patient care (26%). 57% of these respondents say AI is very effective in improving organizations’ cybersecurity posture, and more than one-third (36%) use AI and machine learning to understand human behavior.
“An effective cybersecurity approach centered around stopping human-targeted attacks is crucial for healthcare institutions, not just to protect confidential patient data but also to maintain the highest quality of medical care,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyber attacks is critical to ensuring continuity in patient care and avoiding disruption of critical services. And while security awareness is foundational, driving sustained behavior change through programs tailored to specific roles and responsibilities will help support both organizational and patient safety.”
To download Cyber Insecurity in Healthcare: The cost and impact on patient safety and care 2024, please visit: https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report
For more information on Proofpoint’s healthcare solutions, please visit: https://www.proofpoint.com/healthcare
####
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85% of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.