Healthcare cyberattacks are now top health technology hazard, affecting mortality rates, patient safety

New research released by Proofpoint revealed that healthcare organizations have been slow to bring their cybersecurity defenses in line with the growing frequency and severity of attacks. As a result of hospital organizations dragging their feet, patient safety and care delivery consequences are so severe that cyberattacks have become the top health technology hazard for 2022. Such inaction has also increased mortality rates and other poor outcomes, displaying the devastating impact of attacks on patient safety.

In a study sponsored by Proofpoint, Ponemon surveyed 641 people responsible for security strategies in a bid to study the impact of cybersecurity threats on healthcare costs and patient care.  

According to the report titled ‘Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,’ 89 percent of organizations in this research experienced cyberattacks in the past 12 months. For organizations in that group, the average number of attacks was 43. “We asked respondents to estimate the single most expensive cyberattack in the past 12 months from a range of less than $10,000 to more than $25 million,” it added. 

Based on the responses, the average total cost for the most expensive cyberattack experienced was US$4.4 million, Proofpoint said. “This included all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities. At an average cost of $1.1 million, lost productivity was the most significant financial consequence from the cyberattack. However, despite the connection between cyberattacks and patient safety, the least amount of cost following a cyberattack was the time required to ensure the impact on patient care was corrected ($664,350).”

The report analyzes four types of cyberattacks and their impact on healthcare organizations, patient safety, and patient care delivery. These breaches include cloud compromise, ransomware, supply chain attacks, and business email compromise (BEC). 

The research found that 75 percent of respondents say their organizations are vulnerable to a cloud compromise. In the past two years, 54 percent of respondents say their organizations experienced at least one cloud compromise. Organizations within this group experienced an average of 22 such compromises in the past two years.

Seventy-two percent of respondents believe their organizations are vulnerable to a ransomware attack. When asked what cybersecurity threats their organizations are most concerned about, ransomware is the number one concern for 60 percent of respondents. In the past two years, organizations that had ransomware attacks, with 41 percent of respondents, have experienced an average of three such attacks. 

The Proofpoint data revealed that 71 percent of respondents say their organizations are vulnerable to a supply chain attack. Fifty percent of respondents say their organizations experienced at least one attack against the supply chain in the past two years. In addition, organizations represented in this group had an average of four supply chain attacks in the past two years. 

BEC attacks encompass several impersonation tactics such as spoofing, phishing and social engineering, the research found. “Sixty-four percent of respondents say their organizations are vulnerable to a BEC incident. Fifty-one percent of respondents said they experienced at least one BEC incident in the past two years. Organizations in this group had an average of 3.5 BEC attacks in the past two years,” it added.

The research also disclosed that 50 percent of respondents say their organizations had an attack against their supply chain. Seventy percent of respondents say it disrupted patient care. The consequences included delayed procedures and tests that increased the severity of an illness (54 percent), while another consequence was a longer length of stay (51 percent).

“Sixty-seven percent of respondents say a BEC attack and/or a ransomware attack against their organizations disrupted patient care. Twenty-one percent of respondents say a BEC incident and 24 percent of respondents say ransomware increased the mortality rate,” Proofpoint said. 

It also exposed that ransomware attacks are more likely than other attacks to hurt patient safety and care delivery. Sixty-four percent of respondents in organizations that experienced a ransomware attack say it caused delays in procedures and tests that resulted in poor outcomes. In comparison, 59 percent of respondents say it resulted in longer lengths of stay, which strains resources.

Proofpoint also identified that technologies such as cloud, mobile, big data, and IoT increase the risks to patient information and safety, according to 67 percent of respondents.

The research also found that insecure medical devices and mobile apps are considered among the top cybersecurity concerns in healthcare. On average, organizations have more than 26,000 network-connected devices. Sixty-four percent of respondents say they are concerned about the security of these medical devices and 59 percent of respondents say they are concerned about insecure mobile apps. 

Organizations use a combination of approaches to user access and identity management in the cloud, Proofpoint said. Sixty percent of respondents say their organizations use a variety of solutions. These include separate identity management interfaces for the cloud and on-premises environments, a unified identity management interface for both the cloud and on-premises environments and a single sign-on deployment.

Proofpoint data disclosed that the lack of preparedness puts healthcare organizations and patients at risk. “While insecure medical devices are considered the top cybersecurity threat, only about half (51 percent) of respondents say their organizations include prevention and response to an attack on these devices as part of their cybersecurity strategy.” 

It also identified that less than half of respondents say they have documented the steps to prevent and respond to a BEC attack (48 percent) and/or attacks to the supply chain (44 percent of respondents). Instead, most organizations focus on steps to prevent and respond to cloud compromises (63 percent of respondents) and/or ransomware (62 percent of respondents). 

The research also determined that a lack of in-house expertise, staffing, and collaboration with other functions is challenging to an effective cybersecurity posture. Fifty-three percent of respondents say their organizations lack in-house expertise and 46 percent say the insufficient staff is a challenge. In addition, working in silos and a lack of collaboration with other functions also affect the effectiveness of their organization’s cybersecurity strategy.

Proofpoint also said that it is critical in healthcare organizations to have a productive workforce while effectively securing highly sensitive and confidential patient information. Lost productivity is also the highest cost incurred when responding to a cyberattack ($1.1 million). 

The research identified that training and awareness programs and monitoring employees are the top two steps to reduce insider risk, as negligent employees pose a significant risk to healthcare organizations. Fifty-nine percent of respondents say their organizations take steps to address the risk of employees’ lack of awareness about cybersecurity threats, especially BEC. Of these respondents, 63 percent of respondents say they conduct regular training and awareness programs, and 59 percent of respondents say their organizations monitor the actions of employees. 

As part of the cybersecurity strategy, 60 percent of respondents say their organizations use threat intelligence, Proofpoint said. “The types of threat intelligence commonly used are network traffic (57 percent of respondents), firewall/IPS traffic (53 percent of respondents), dark web data (46 percent of respondents), and user behavior (44 percent of respondents),” it added.

Proofpoint said that typical healthcare organizations do not invest adequate resources in cybersecurity. Traditionally, the bulk of the funding has been allocated to areas directly related to patient care, severely limiting IT and security teams’ capabilities to protect their organizations. The new research reflects this challenge, showing that 53 percent of organizations struggle with good security posture due to a lack of in-house expertise and 46 percent due to insufficient staffing.

“Without a concerted effort to invest in cybersecurity, healthcare organizations will continue to fall behind in their preparedness to defend against cyber threats. Poor cybersecurity can have deep, tangible, and devastating effects on patients,” the report added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.