Getty Images

Healthcare Ransomware Attacks Lead to Increased Patient Mortality

One in four healthcare organizations reported increased patient mortality rates resulting from ransomware attacks, a new Ponemon Institute study reveals.

Financial strain, care disruptions, and time-consuming recovery operations often result from healthcare ransomware attacks, but new research revealed that increased patient mortality is also likely in the aftermath of a cyberattack.

The study, commissioned by Censinet and conducted by the Ponemon Institute, compiled survey responses from 597 healthcare organizations including regional health systems, community hospitals, and integrated delivery networks.

One in four respondents reported increased patient mortality rates after ransomware attacks.

COVID-19 has only exacerbated the disastrous effects of ransomware attacks. Over 60 percent of respondents reported having little to no confidence that their organization could mitigate the risks of ransomware, compared to 55 percent before COVID-19.

Prior research revealed that the costs of a healthcare data breach have skyrocketed since the onset of the pandemic, incurring an average cost of $9.23 million per incident. But little was known about the impacts that data security incidents can have on patient safety.

Over 70 percent of survey respondents reported that healthcare ransomware attacks led to a longer length of stay and delays in procedures and tests that resulted in poor outcomes. About 65 percent of respondents reported an increase in the number of patients being diverted to other facilities, and 36 percent reported an increase in complications from medical procedures.

The study also found that healthcare organizations are increasingly relying on third-party business associates to digitize and distribute health information and supply medical devices. Respondents reported contracting with an average of 1,950 third parties, and this average is expected to increase to 2,541 over the next 12 months.

Working with external business associates comes with its own set of risks for healthcare delivery organizations (HDOs). 

“Some risks are inherent to the third party such as secure operating systems and other software in medical devices,” according to the study. “Other risks involve how the HDOs deploy and use third parties, including storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party or the HDO use of the third party needs to be managed.”

Only 40 percent of respondents said that their organization always completes a risk assessment of its third-party vendors prior to signing a contract. Over 35 percent of respondents stated that when assessments are done, they are often ignored by leaders.

Recent research showed that business associates are increasingly likely targets for healthcare ransomware attacks. They often do not have the same technical safeguards in place to combat the attacks.

The Ponemon Institute’s report recommended that healthcare organizations conduct regular risk assessments and reassessments of third-party vendors, secure medical devices, and allocate resources and funding to cybersecurity.

Organizations should also consider investing in workflow automation tools and establishing a digital inventory of all third-party vendors and protected health information (PHI) records. The report also emphasized the importance of assigning risk accountability and ownership to one role to ensure a cohesive, enterprise-wide risk management strategy.

Next Steps

Dig Deeper on Cybersecurity strategies