Nearly a quarter of healthcare organizations hit by ransomware attacks experienced an increase in patient mortality, according to a study from Ponemon Institute and Proofpoint released today.
The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” surveyed 641 healthcare IT and security practitioners and found that the most common consequences of cyberattacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers, followed by increased complications from medical procedures. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them.
The Ponemon report comes with a caveat that the numbers depend on the accuracy of self-reporting and thus don’t have the weight of, say, an epidemiological study that looks at hospital mortality baseline data before and after an attack, but the data is similar to what Ponemon found last year and there have been a number of reports of patient deaths and other complications from ransomware attacks.
Also read: After Springhill: Assessing the Impact of Ransomware Lawsuits
Healthcare Cyberattacks Common – And Costly
The new report found that 89% of the surveyed organizations have experienced an average of 43 cyberattacks in the past 12 months. The most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing/phishing.
Ponemon chairman and founder Larry Ponemon said in a statement that “Most of the IT and security professionals regard their organizations as vulnerable to these attacks,” and that growing adoption of technologies such as cloud, mobile, big data, and the Internet of Things (IoT) are adding to that risk.
The Internet of Medical Things (IoMT) is a top concern for survey participants. Healthcare organizations have an average of more than 26,000 network-connected devices, yet only 51% of the surveyed organizations include them in their cybersecurity strategy.
Healthcare organizations are better at cloud security, with 63% taking steps to prepare for and respond to cloud compromise attacks, and 62% have taken steps to prevent and respond to ransomware — but that still leaves nearly 40% of healthcare organizations more vulnerable than they should be.
Preparedness is even worse for supply chain attacks and BEC, with only 44% and 48% having a documented response to those attacks, respectively.
Healthcare cybersecurity tools likely have a high return on investment (ROI), even though roughly half of the survey respondents say they lack sufficient staffing and in-house expertise.
The financial costs of healthcare cyberattacks are high, the report noted, costing an average of $4.4 million in the last 12 months, with productivity loss creating the most significant financial impact at $1.1 million.
“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities … and this inaction has a direct negative impact on patients’ safety and wellbeing,” stated Ryan Witt, Proofpoint’s healthcare cybersecurity leader. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”
Further reading on ransomware protection and recovery:
- How to Recover From a Ransomware Attack
- Best Ransomware Removal Tools
- Best Ransomware Removal and Recovery Services
- Best Backup Solutions for Ransomware Protection
Healthcare Security Defenses
Two of the more common healthcare cybersecurity defenses the report found are training and awareness programs and employee monitoring.
Threat intelligence also ranks high among respondents, used via network traffic (57 percent, firewall/IPS traffic (53 percent), dark web data (46 percent) and user behavior (44 percent).
The healthcare organizations are better at access control, with nearly 80% reporting use of adaptive access and authentication controls, and 74% report using multiple identity federation standards like SAML.
Ponemon and Proofpoint held a briefing yesterday to preview the report, joined by two healthcare CISOs: Hussein Syed of RWJBarnabas Health and Dan Anderson of LifeScan Global.
Anderson stressed the need for proper security controls and staffing, noting that his organization has “experienced threat hunters on our network every day and they know when something doesn’t look right.” That’s preferable to an incident response service, he said, where an incident responder would need to learn the system in real time.
Shutting down local admin privileges on endpoints, monitoring software downloads, zero trust, phishing tests and training, and understanding the flow of data are other important controls that Anderson highlighted.
Syed said healthcare cybersecurity is a “long game” covering everything from hygiene up to EDR and access management. “It really is a building block, … strategic approach toward building that security posture,” he said.
Read next: Zero Trust Speeds Ransomware Response, Illumio-Bishop Fox Test Finds