Cyberattacks on healthcare organizations affect patient care

88% of organizations experienced an average of 40 attacks in the past 12 months, according to a survey conducted by the Proofpoint and Ponemon Institute.

Supply chain attacks: Leading patient care risk

The average total cost of a cyberattack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and BEC — an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates.

These numbers reflect last year’s findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyberattacks on patient safety and wellbeing.

The report found that supply chain attacks are the type of threat most likely to affect patient care. 64% of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result (an increase from 70% in 2022).

BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).

“For the second consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Our findings also show that more IT and security professionals view their organization as vulnerable to each type of attack, compared to 2022. These attacks are also putting an even greater strain on resources than last year—costing on average 13% more overall and 58% more in the time required to ensure the impact on patient care was corrected.”

Ransomware remains an ever-present threat to healthcare organizations

54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year. The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year.

However, the average total cost for the highest ransom payment spiked 29% to $995,450. Further, 68% said the ransomware attack resulted in a disruption to patient care, with most (59%) citing delays in procedures and tests that resulted in poor outcomes.

43% of respondents say a data loss or exfiltration incident impacted patient care; of those, 46% experienced increased mortality rates and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).

Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations’ supply chains were attacked an average of four times and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year’s 70%.

74% of survey participants view their organization as most vulnerable to a cloud compromise, on par with last year’s 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.

BEC/spoofing concerns increased significantly

The number of respondents concerned about BEC/spoofing jumped to 62% from last year’s 46%. 54% of organizations experienced five of these types of incidents on average. The growing concern may reflect the finding that BEC/spoofing attacks are more likely than others to result in poor outcomes due to delayed procedures (71%), increased complications from procedures (56%), and lengthier stays (55%).

Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.

Respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization’s cybersecurity posture from being fully effective, and more organizations feel this challenge this year: 58% noted lack of expertise as a challenge vs. 53% in 2022, and 50% identified insufficient staffing vs. 46% last year.

“While the healthcare sector remains highly vulnerable to cyberattacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”