91视频

Topics
More on Analytics

Patient care threatened by ever-increasing cyberattacks

The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year, new survey finds.

Jeff Lagasse, Associate Editor

Photo: Al David Sacks/Getty Images

Patient care is under threat from cyberattacks, particularly supply chain and business email compromise (BEC) attacks, as more and more healthcare organizations are grappling with the cost and headache associated with them, finds a new survey on healthcare cybersecurity from Proofpoint and the Ponemon Institute.

The report, "," found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks 鈥 cloud compromise, ransomware, supply chain and BEC 鈥 an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications and 23% experienced increased patient mortality rates.

These numbers reflect last year's findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyberattacks on patient safety and wellbeing.

The report, which surveyed 653 healthcare IT and security practitioners, found that supply chain attacks are the type of threat most likely to affect patient care. Nearly two-thirds (64%) of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result 鈥 an increase from 70% in 2022.

BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).

WHAT'S THE IMPACT?

Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: Some 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year.听

The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year. But the average total cost for the highest ransom payment spiked 29% to $995,450.

All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data within the past two years: A total of 43% of respondents say a data loss or exfiltration incident impacted patient care. Of those, 46% experienced increased mortality rates, and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).

Concerns about supply chain attacks declined, despite these attacks significantly disrupting patient care. Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations' supply chains were attacked an average of four times, and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year's 70%.

Healthcare organizations feel most vulnerable to, and most concerned about, cloud compromise. Seventy-four percent of participants view their organization as most vulnerable to a cloud compromise, on par with last year's 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.

BEC/spoofing concerns increased significantly. The number of respondents concerned about BEC/spoofing jumped to 62% from last year's 46%. More than half (54%) of organizations experienced five of these types of incidents on average. Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.

Lastly, respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization's cybersecurity posture from being fully effective, and more organizations feel this challenge this year: Some 58% noted lack of expertise as a challenge, vs. 53% in 2022, and 50% identified insufficient staffing, vs. 46% last year.

THE LARGER TREND

More than three quarters (78%) of respondents to an August Claroty survey experienced a minimum of one cybersecurity incident over the last year, which impacted a broad range of asset types, including IT systems, sensitive data, medical devices and building management systems.

Alarmingly, more than 60% of respondents reported a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health or safety. The financial ramifications mainly fell in the $100,000鈥$1,000,000 range, with 26% paying ransoms.

Twitter: @JELagasse
Email the writer:听Jeff.Lagasse@himssmedia.com