Eighty-nine percent of recently surveyed healthcare security officials said that their organizations experienced an average of 43 cyberattacks in the past year. More than 20 percent of the organizations suffering the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing phishing—said they experienced increased patient mortality rates.
The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” was released by cybersecurity company Proofpoint Inc. and Ponemon Institute, an IT security research organization. It surveyed 641 healthcare IT and security practitioners and found that the most common consequences of attacks are delayed procedures and tests, resulting in poor patient outcomes for 57 percent of the healthcare providers and increased complications from medical procedures for nearly half of them. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64 percent of the organizations and longer patient stays for 59 percent of them.
During a Sept. 7 webinar focused on the new report, Hussein Syed, chief information security officer at RWJBarnabas Health in New Jersey, said the report “helps put context around how prepared you are, what is the holistic approach to security your organization is taking and how important it is to build defense in depth and keep abreast of the changes that are happening from the threat landscape.”
Syed added that “if you look at vulnerability management, it really is the game of raising the bar slowly to a point where certain things that are considered foundational controls start to become part of the process. But these attacks keep getting more sophisticated and the challenge is how to be able to keep up with ensuring that the user education stays abreast of the types of sophisticated attempts that are being made.”
“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”
Other key findings of the report are that:
- The insecure Internet of Medical Things (IoMT) is a top concern. Healthcare organizations have an average of more than 26,000 network-connected devices. While 64 percent of respondents are concerned about medical device security, only 51 percent include them in their cybersecurity strategy.
- Healthcare organizations feel both most vulnerable to and most prepared for cloud compromise. Seventy-five percent of respondents say their organizations are vulnerable to a cloud compromise, and 54 percent of respondents say that in the past two years their organizations experienced at least one cloud compromise. But just as they are the most vulnerable, organizations are also the most prepared for a cloud compromise, with 63 percent focused on taking steps to prepare for and respond to these attacks.
- Ransomware is the second-biggest vulnerability. Seventy-two percent of those surveyed believe their organizations are vulnerable to a ransomware attack, and 60 percent say this is the type of attack that concerns them the most. Consequently, 62 percent have taken steps to prevent and respond to ransomware.
- Low preparedness puts patients at risk. Although 71 percent of participants feel they are vulnerable to supply chain attacks, and 64 percent feel the same about BEC and spoofing phishing, only 44 percent and 48 percent have a documented response to those attacks, respectively.
- Lack of funding and resource continue to be a challenge. Fifty-three percent of participants said a lack of in-house expertise is a challenge and 46 percent said they lack sufficient staffing, with both deficiencies negatively affecting cybersecurity posture.