New Ponemon Report Shows Healthcare Organisations Are Making Little Progress in Protecting Patients from the Harms of Cyber Attacks 

Share with your network!

The healthcare sector is finally acknowledging that cyber attacks affect more than just the financial bottom line. Providers are starting to understand that a weak cybersecurity posture puts patients’ safety and well-being at risk—and may endanger lives. Despite this growing understanding, however, little progress has been made in the past year to improve organisational security. 

The Ponemon Institute’s second annual Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023 report, commissioned by Proofpoint, shows that healthcare businesses have made no strides in protecting patients from the physical harm of cyber attacks. The survey found that 88% of healthcare companies experienced an average of 40 attacks in the past 12 months.  

Among the 653 healthcare and IT security practitioners surveyed: 

  • 66% said cyber attacks targeting their business disrupted patient care 
  • 50% experienced an increase in complications from medical procedures 
  • 23% saw an increase in mortality rates 

These numbers are similar to last year’s report and confirm what’s already well-known in the industry: Change is slow in healthcare, especially when it comes to IT investments.  

The devastating impacts of various attacks on patient safety 

The most common types of attacks examined in the Ponemon report are: 

  • Cloud compromise 
  • Ransomware 
  • Supply chain 
  • Business email compromise (BEC) 

We learnt that supply chain attacks are the most likely to disrupt patient care (77%, up from 70% in 2022). However, when it comes to specific repercussions, BEC leads in three of five categories. This is the type of attack most likely to cause poor outcomes due to: 

  • Delays in tests and procedures (71%) 
  • An increase in complications from medical procedures (56%) 
  • A longer length of stay (55%) 

What may surprise healthcare leaders and clinicians is the impact of data loss or exfiltration. When protected health information (PHI) is compromised, most think in terms of the impact to patient privacy. However, the report shows that the implications are far more dangerous. Forty-three percent of survey participants said a data loss or exfiltration incident affected patient care. Of those that experienced this impact, 46% saw an increase in mortality rates, and 38% noted an increase in medical procedure complications. 

Cloud risk on the rise as adoption grows  

The healthcare sector has lagged behind most other industries in cloud adoption. It took a global pandemic to shake things up: Sixty-two percent of surveyed physicians said the pandemic forced them to make upgrades to technology that would have taken years to accomplish otherwise.  

But with the broad adoption of cloud apps, care providers are more vulnerable to cloud threats. ECRI (an independent authority on healthcare technology and safety) ranked care disruption due to the failure to manage cyber risk of cloud-based clinical systems as one of the top 10 healthcare technology hazards for 2023. 

Given the high rate of adoption, it’s not surprising the Ponemon report found that cloud compromise is now the top concern for healthcare companies. Cloud compromise rose to first place this year from fifth last year—with 63% of respondents expressing this concern, compared with 57% in 2022. Likewise, healthcare businesses are feeling the most vulnerable to a cloud compromise than other types of attacks, with 74% of respondents in agreement.  

Ransomware remains ever-present, despite decreased concerns 

One surprising finding from the survey is the significant decrease in concerns about ransomware attacks. Although 54% of respondents reported that their business had experienced a ransomware attack (up from 41% in 2022), they’re the least worried about this type of threat. Only 48% of those surveyed said ransomware was a concern—a big decline from last year’s 60%.  

Based on recent events, we know that the impacts of ransomware incidents are getting worse. In August, for example, a ransomware attack on a California-based health system disrupted operations across several states. That included shutdowns of emergency departments. Various primary care services were closed for at least a day. And providers scrambled to deliver care without access to electronic health records. 

Our data shows that 68% of healthcare businesses that suffered a ransomware attack saw disruptions to patient care. And 59% noted test and procedure delays that resulted in poor outcomes. So, without question, this threat should remain on security teams’ radar.  

Changing the status quo 

The cybersecurity industry has been raising the alarm about poor security posture in the healthcare sector for years. It is clear from our report that health systems are now paying more attention to this issue. With solid evidence available to show the connection between cyber attacks and patient health and safety, there is renewed optimism that healthcare organisations will focus on these threats—and fulfil their mission of patient care. 

Outside forces may need to spark change. Most likely, it will be government action. It would not be unprecedented, considering that the government was the catalyst behind the modernisation of patient records. Through such a public-private partnership, we may be better able to mitigate the impact of cyber attacks on healthcare companies’ ability to deliver the best and safest care. 

Learn more 

Want to learn more about this year’s findings? Download the Ponemon Institute report, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023