The average total cost of a cyber attack experienced by healthcare organizations was nearly $5 million, a 13% increase from the previous year

SUNNYVALE, Calif., October 11, 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, today released the results of their second annual survey on the effect of cybersecurity in healthcare. The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023,” found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyber attack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)—an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates. These numbers reflect last year’s findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyber attacks on patient safety and wellbeing.

The report, which surveyed 653 healthcare IT and security practitioners, found that supply chain attacks are the type of threat most likely to affect patient care. Nearly two-thirds (64%) of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result (an increase from 70% in 2022). BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).

“For the second consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Our findings also show that more IT and security professionals view their organization as vulnerable to each type of attack, compared to 2022. These attacks are also putting an even greater strain on resources than last year—costing on average 13% more overall and 58% more in the time required to ensure the impact on patient care was corrected.”

Other key findings of the report include:

• Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year. The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year. However, the average total cost for the highest ransom payment spiked 29% to $995,450. Further, 68% said the ransomware attack resulted in a disruption to patient care, with most (59%) citing delays in procedures and tests that resulted in poor outcomes.

• All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data within the past two years: 43% of respondents say a data loss or exfiltration incident impacted patient care; of those, 46% experienced increased mortality rates and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).

• Concerns about supply chain attacks declined, despite these attacks significantly disrupting patient care. Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations’ supply chains were attacked an average of four times and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year’s 70%.

• Healthcare organizations feel most vulnerable to and most concerned about cloud compromise. Seventy-four percent of survey participants view their organization as most vulnerable to a cloud compromise, on par with last year’s 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.

• BEC/spoofing concerns increased significantly. The number of respondents concerned about BEC/spoofing jumped to 62% from last year’s 46%. More than half (54%) of organizations experienced five of these types of incidents on average. The growing concern may reflect the finding that BEC/spoofing attacks are more likely than others to result in poor outcomes due to delayed procedures (71%), increased complications from procedures (56%), and lengthier stays (55%).

• Low preparedness against BEC/spoofing and supply chain attacks puts patients at risk. Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.

• Lack of in-house expertise and insufficient staffing an even bigger challenge than before to cybersecurity posture. Respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization’s cybersecurity posture from being fully effective, and more organizations feel this challenge this year: 58% noted lack of expertise as a challenge vs. 53% in 2022, and 50% identified insufficient staffing vs. 46% last year.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

To download Cyber Insecurity in Healthcare: The cost and impact on patient safety and care 2023, please visit: https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report

For more information on Proofpoint’s healthcare solutions, please visit: https://www.proofpoint.com/healthcare

####

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube 

###

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.