Ransomware attacks on healthcare delivery organizations (HDOs) can lead to risking patient safety, data, and overall care availability, with nearly one in four healthcare providers reporting an increase in mortality rate due to ransomware. The COVID-19 pandemic brought in its share of risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements, according to a new research report.
Apart from affecting patient care, ransomware attacks to the healthcare sector can lead to more complications from medical procedures, delays in procedures and tests that resulted in poor outcomes, the upturn in patients transferred or diverted to other facilities, and longer lengths of stay.
Released on Wednesday, the research report was commissioned by Censinet and conducted by the Ponemon Institute. It put together survey responses from 597 healthcare organizations, including regional health systems, community hospitals, and integrated delivery networks.
The onset of COVID-19 pandemic introduced new risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements. Over the last two years, 43 percent of respondents say their HDOs experienced a ransomware attack, the report said. Of these respondents, 67 percent of respondents say their HDO had one and 33 percent of respondents say they experienced two or more attacks. These attacks risk patient safety, data, and overall care availability.
The COVID-19 pandemic has reduced the confidence of the HDOs in mitigating ransomware risks, with 61 percent of HDOs lacking the confidence to combat ransomware, up from 55 percent before the pandemic struck, the research said.
Respondents report that ransomware attacks had a significant impact on patient care, reporting longer length of stay (71 percent of respondents), delays in procedures and tests (70 percent of respondents), increase in patient transfers or facility diversions (65 percent of respondents) and an increase in complications from medical procedures (36 percent) and mortality rates (22 percent).
“The combination of data breaches, ransomware attacks, and COVID-19 has created the perfect cybersecurity storm and worst two years on record for IT and security leaders in healthcare,” Ed Gaudet, CEO and founder of Censinet, said in a media statement. “The Ponemon Research results are an urgent wake-up call for the healthcare industry to transform its cybersecurity and third-party risk programs or jeopardize patient lives.”
Driven by cost containment, regulatory directives, and the demand for accessible, higher-quality patient care, HDOs have shifted to the digitization and distribution of health information. Moreover, medical devices, whether in-patient rooms or labs rely on network connectivity for operations and maintenance. Most of the technology components are not developed by the HDO, leading to reliance on external parties for software, services, and hardware development.
Research data has revealed that the average number of third parties that organizations contract with is 1,950, and this will increase to an average of 2,541 in the next 12 months. Other risks involve how the HDOs deploy and use third parties, including storing protected health information (PHI) on cloud-based systems that are typically not meant to support it. In either case, the risk created by the third party or the HDO use of the third-party components needs to be managed. The burden is on the HDO to perform assessments throughout their relationship with third parties.
The report advised HDOs and vendors to create best practices around workflow automation, resources, and processes, risk assessments before third-party engagements, resource allocation, reassessments, and funding, securing medical devices, evaluating third-party risk and continuous monitoring, and assigning accountability and ownership.
Another influencing factor is that cybersecurity investment is not a high priority for hospital networks, despite continuing cyber-attacks against the healthcare sector, CyberMDX said in a report last month. Roughly half of the respondents experienced an externally motivated shutdown in the last six months, yet more than 60 percent of hospital IT teams have ‘other’ spending priorities and less than 11 percent say cybersecurity is a high priority spend.
The U.S. Food and Drug Administration (FDA) is looking for ways to compel medical device manufacturers to prioritize cybersecurity. The recently released Executive Order 14028 of the U.S. government highlights the urgent need to take decisive action that would strengthen the security posture of this critical industry.
“FDA is emphasizing the requirement of SBOM for medical device manufacturers because the SBOM provides the much-needed transparency for end users that enables awareness of potential vulnerabilities. These potential vulnerabilities are hidden today and could represent exploitable opportunities for bad actors,” according to a blog post by medical device cybersecurity company Vigilant Ops. “By providing SBOMs to their end users, medical device manufacturers are effectively removing the black boxes surrounding their devices,” it added. A software bill of materials (SBOM) is a list of components in a piece of software, which usually put together the open source and commercial software components.
“The intersection of cybersecurity and medical device servicing presents unique challenges and opportunities. While device users and servicing entities can provide valuable feedback, help monitor and detect vulnerabilities, and timely implement authorized updates and patches throughout a medical device’s life cycle, challenges exist when updating a device’s software or patching a vulnerability,” it added.