Getty Images

78% of Surveyed Healthcare Organizations Experienced a Cybersecurity Incident in Last Year

More than 60 percent of respondents reported a moderate or substantial impact on care delivery due to a cybersecurity incident, Claroty found.

More than three-quarters of surveyed healthcare professionals reported experiencing at least one cybersecurity incident at their organizations in the last year, Claroty revealed in its “Global Healthcare Cybersecurity Study 2023.”

Using Pollfish, Claroty surveyed 1,100 individuals across North America, South America, APAC, and Europe who work full-time in cybersecurity, biomedical engineering, information systems, clinical engineering, risk, or networking.

Of the cyberattacks experienced by surveyed healthcare organizations in the last year, 60 percent reportedly had a moderate or substantial impact on care delivery. What’s more, 30 percent of respondents cited that sensitive data such as protected health information (PHI) was impacted.

More than a quarter of organizations that experienced ransomware attacks paid the ransom, and more than a third of respondents reported upwards of $1 million in recovery costs.

Despite these troubling figures, respondents seemed to have a clear idea of what threats to prioritize next. Patching medical device vulnerabilities, improving asset inventory management, and segmenting medical devices were among the top priority areas. What’s more, 51 percent of respondents globally reported an increase in security budgets over the last year.  

In addition, respondents reported a great deal of value in various security frameworks and federal guidance.

“As healthcare organizations undergo digital transformation and technological innovation revolutionizes the industry, regulatory requirements become increasingly complex and are frequently evolving. Keeping up with standards and understanding guidelines can be challenging, but the survey shows that organizations hold these regulations in high regard and value the guidance,” the report noted.

“Both the NIST and the HITRUST Cybersecurity Frameworks top the list as the most important standards to respondents on a global basis.”

The results revealed a widespread consensus about the state of healthcare cybersecurity – there is a lot of work to be done to get the healthcare sector into a good place when it comes to effectively managing cyber risk. However, ongoing barriers to progress, including the cybersecurity workforce shortage and the need for increased standards and regulations, are holding the sector back.

For example, more than 70 percent of respondents said that their organizations were looking to hire, but 80 percent said that finding qualified candidates was difficult. In terms of government regulations, 43 percent of North America respondents reported wanting to see the development of a comprehensive cybersecurity strategy, and 40 percent voiced a desire for the government to enhance its response to cyber incidents.

“The healthcare industry has a lot working against it on the cybersecurity front—a rapidly expanding attack surface, outdated legacy technology, budget constraints and a global cyber talent shortage,” said Yaniv Vardi, CEO of Claroty.

“Our research shows that healthcare organizations need the full support of the cyber industry and regulatory bodies in order to defend medical devices from mounting threats and protect patient safety.”

Next Steps

Dig Deeper on Cybersecurity strategies