A new cybersecurity report this week had some sobering statistics that illustrate just how common network attacks have become in healthcare.
The survey, which polled more than 640 IT and security leaders, found that 89% of organizations surveyed experienced an average of 43 attacks in the past year, averaging almost one attack per week.
BECAUSE IT IS IMPORTANT
Worse yet, the Ponemon Institute to studysponsored by Proofpoint, also found that cyber incursions now routinely impact patient safety in US hospitals and healthcare systems.
The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Safety and Patient Care,” showed respondents that cyberattacks routinely delay procedures and tests, with 57% saying that Patient outcomes are poor with 50% citing major complications from medical procedures
Perhaps the most alarming statistic was this: Of health systems that experienced the four most common types of cyberattacks, 20% said they subsequently experienced an increase in patient mortality rates.
Ponemon defines the four most common exploits as ransomware, cloud compromise, supply chain disruption, and phishing.
Unsurprisingly, the type of attack most likely to negatively impact care delivery is ransomware, with attacks typically leading to delays in procedures or tests (64% of respondents) and longer patient stays ( 59%).
Nearly three-quarters (72%) of respondents said organizations are vulnerable to a ransomware attack, with 60% saying it was a top concern, with a similar percentage reporting efforts to improve prevention and response.
When it comes to cloud compromise, more than half (54%) of respondents said their organizations had experienced at least one incident in the past two years. Of that group, organizations experienced an average of 22 such engagements in the past two years. Some 63% said they had taken steps to prepare for and respond to these attacks.
But while 71% of participants said they felt vulnerable to supply chain attacks, and 64% felt at risk of business email compromise and phishing, only 44% and 48%, respectively, have a documented response plan for those risks.
The report also highlights ongoing concerns with IoT, with hospitals and health systems deploying an average of more than 26,000 network-connected devices. But while 64% of respondents said they are concerned about device security, only 51% include it in their cybersecurity strategy, according to the study.
(Those connected medical device statistics echo similar numbers in another recent report by the Ponemon Institute.)
Some other statistics from the report:
63% of respondents conduct regular training and awareness programs for employees.
59% monitor their employees’ actions and use of technology
53% of respondents said a lack of in-house cybersecurity expertise is a challenge
46% said they are understaffed overall, which affects their cybersecurity readiness.
This despite the fact that, beyond the risk to patient safety, there are significant economic interests. The costliest healthcare cyberattack cost an average of $4.4 million in the last 12 months, according to the study, including $1.1 million in lost productivity.
THE BIGGEST TREND
IT and information security leaders from major US healthcare systems recognize the stakes. At HIMSS22 last March, chief information security officers discussed the patient safety risks of this tense threat landscape.
“We’ve gone beyond data — it’s not just about privacy and confidentiality anymore,” said Erik Decker, CISO at Intermountain Healthcare. “Cybersecurity is patient safety. Downtime means delayed care, and delayed care means patient safety. That’s our charge.”
That has been the case for some time. But as this report shows, and recent real-world cases of patient deaths linked to ransomware attacks emphasize, the risks have only increased for hospital security.
IN THE REGISTRY
“The attacks we analyzed put significant pressure on the resources of healthcare organizations,” Larry Ponemon, president and founder of the Ponemon Institute, said in a statement. “Its result is not only a tremendous cost, but also a direct impact on patient care, putting people’s safety and well-being at risk.”
“Healthcare has traditionally lagged behind other sectors in addressing vulnerabilities from the growing number of cybersecurity attacks, and this inaction has a direct negative impact on the safety and well-being of patients,” said Ryan Witt, Cybersecurity Lead. healthcare provider at Proofpoint, in a statement.
“As long as cybersecurity remains a low priority, health care providers will continue to put their patients at risk,” he added. “To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take steps toward better preparedness that protects people and defends data.”
Email the writer: email@example.com
Healthcare IT News is published by HIMSS.