Eighty-nine percent of healthcare organizations surveyed have experienced an average of 43 attacks in the past 12 months — almost one attack per week — a new report by cybersecurity firm Proofpoint and the Ponemon Institute finds.
The most common consequences of attacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of respondent healthcare providers and increased complications from medical procedures for nearly half, according to the report Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care.
Most common cyberattacks in healthcare
More than 20% of respondent organizations suffering the four most common types of attacks — cloud compromise, ransomware, supply chain and business email compromise — experienced increased patient mortality rates, according to the study, which surveyed 641 healthcare IT and security practitioners.
SEE: Mobile device security policy (TechRepublic Premium)
“Providers are unprepared to address their human factor,’’ wrote Ryan Witt, healthcare cybersecurity leader at Proofpoint in a blog post. While cybersecurity awareness programs are a proven strategy for mitigating threats such as BEC, phishing, employee negligence and other people risks, only 59% of respondents said their organization takes steps to improve awareness, Witt noted. Among those that do, more than a third don’t conduct regular training.
“This lack of basic preparedness puts patients at additional risk,” Witt wrote. “And while cybersecurity is a tough problem, an employee awareness and training program is not a complicated undertaking. It can make a significant difference in helping providers defend against people-centric threats.”
Ransomware attacks are most likely to affect patient care
Ransomware attacks are most likely to have a negative impact on patient care, leading to delays in procedures or tests in 64% of the organizations and longer patient stays for 59%. Seventy-two percent of respondents said they believe their organizations are vulnerable to a ransomware attack, and 60% said this is the type of attack that concerns them the most. Consequently, 62% have taken steps to prevent and respond to ransomware, according to the report.
Notably, while 71% of respondents reported feeling vulnerable to supply chain attacks and 64% feel the same about BEC and phishing, only 44% and 48% have a documented response to those attacks, respectively, the report said.
The study further found that the financial costs of cyberattacks are staggering. The single most expensive cyberattack cost an average of $4.4 million in the past 12 months, with productivity loss creating the most significant financial impact ($1.1 million).
“The attacks we analyzed put a significant strain on healthcare organizations’ resources,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing. Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data and the Internet of Things — which are all seeing increased adoption — further increase the risks to patient data and safety.”
Cloud benefits also bring the biggest vulnerability
As transformational as the cloud has been for care delivery, it also comes at a price, bringing the most frequent types of attacks in healthcare, Witt said. Seventy-five percent of respondents noted their organizations are vulnerable to a cloud compromise, and 54% of respondents reported that in the past two years their organizations experienced at least one cloud compromise.
Organizations within this group experienced an average of 22 such compromises in the past two years. Yet, even though they are the most vulnerable, organizations are also the most prepared for a cloud compromise, with 63% focused on taking steps to prepare for and respond to these attacks, according to the report.
Other key findings from the report include:
The insecure Internet of Medical Things is a top concern
Healthcare organizations have an average of more than 26,000 network-connected devices. While 64% of respondents are concerned about medical device security, only 51% include them in their cybersecurity strategy.
Training and awareness programs, along with employee monitoring, are the top two defenses
Organizations recognize careless and negligent employees pose a significant risk. Fifty-nine percent address employees’ lack of awareness, with 63% of them conducting regular training and awareness programs and 59% monitoring employee actions.
Lack of funding and resources continue to be a challenge
Fifty-three percent of participants said a lack of in-house expertise is a challenge and 46% said they lack sufficient staffing, with both deficiencies negatively affecting cybersecurity posture.
“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” Witt said. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients.”
To avoid devastating consequences, Witt noted, healthcare organizations must understand the impact of cybersecurity on patient care and take steps toward better preparedness that protects people and defends data.