Healthcare organizations have been slow to bring their cybersecurity defenses in line with the growing frequency and severity of attacks they face. The consequences to patient safety and care delivery are so severe that cyberattacks have become the top health technology hazard for 2022. And the increase in mortality rates and other poor outcomes is truly alarming.
Proofpoint recently commissioned Ponemon Institute to study the impact of cybersecurity threats on healthcare costs and patient care. Eighty-nine percent of the 641 participating healthcare IT and security practitioners reported an average of 43 attacks in the past 12 months. No one should be surprised to learn of such a common consequence of cyberattacks, but the findings on patient safety are shocking.
The report shows the devastating impact of attacks on patient safety. More than 20% of the organizations that have experienced a cloud compromise, ransomware, supply chain, or business email compromise (BEC)/spoofing phishing attack saw an increased patient mortality rate. Other consequences included delayed tests or procedures leading to poor outcomes (57% of surveyed organizations) and an increase in complications from medical procedures (nearly 50%).
Ransomware remains a significant challenge. The Ponemon research found that ransomware attacks are more likely to affect patient care than other types of cyberattacks. Sixty-four percent of organizations attacked by ransomware experienced procedure and test delays, and almost as many saw longer patient stays.
These findings illustrate the importance that healthcare organizations prioritize cybersecurity. While the problem is complex, doing nothing is simply not an option. The sector needs to act urgently. People’s lives depend on it.
The blessings of the cloud also bring the biggest vulnerability
The cloud has been transformational for care delivery. It enables digital technologies to improve the patient experience while boosting providers’ efficiency. But the cloud comes at a price. It brings the most frequent type of attack in healthcare. The surveyed organizations experienced an average of 22 compromises in the last two years. Seventy-five percent of respondents feel their organizations are vulnerable to cloud-based compromise.
With the storage of more sensitive data in the cloud, healthcare organizations recognize that both safety and privacy are at risk. Among respondents, 67% believe the cloud, mobile, big data, and the Internet of Things (IoT) increase cybersecurity dangers. Fifty-nine percent identified cloud account takeovers as a significant risk, enabling fraud or the theft of sensitive patient data.
The proliferation and variety of medical devices compound the cloud problem. The average healthcare organization juggles over 26,000 network-connected devices, and 64% are worried about device security. Despite this concern, only about half include device-attack prevention and response in their security strategy.
Lack of preparedness is a widespread problem
Insecure devices are not the only area lacking preparedness. While healthcare providers are relatively ready to prevent and respond to cloud compromises (63%) and ransomware (62%), less than half have a documented strategy for BEC and spoof phishing, and supply chain attacks.
Providers are unprepared to address their human factor. Cybersecurity awareness programs are a proven strategy for mitigating threats such as BEC, phishing, employee negligence, and other people risks, but only 59% of respondents said their organization takes steps to improve awareness. Among those that do, more than a third do not conduct regular training.
This lack of basic preparedness puts patients at additional risk. And while cybersecurity is a tough problem, an employee awareness and training program is not a complicated undertaking. It can make a significant difference in helping providers defend against people-centric threats.
Typical healthcare organizations do not invest adequate resources in cybersecurity. Traditionally, the bulk of the funding has been allocated to areas directly related to patient care. This practice has severely limited IT and security teams’ capabilities to effectively protect their organizations. The new research reflects this challenge, showing that 53% of organizations struggle with good security posture due to lack of in-house expertise and 46% due to insufficient staffing.
Without a concerted effort to invest in cybersecurity, healthcare organizations will continue to fall behind in their preparedness to defend against cyber threats. Poor cybersecurity can have deep, tangible, and devastating effects on patients. The Ponemon report commissioned by Proofpoint adds to the growing evidence that connects cyber risk to patient risk. Understanding this connection—and taking preventive and remedial action—is critical to keeping patients safe.
Download the Ponemon Institute report “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care” to learn more.
Learn more information about Proofpoint’s healthcare cybersecurity solutions.