Report explores effects of cyberattacks on patient care

More than 90% of surveyed health IT security practitioners experienced at least one cyberattack in the past 12 months at their organization, and 69% of respondents self-reported negative effects of cyberattacks on patient care, Proofpoint-sponsored research by Ponemon Institute revealed.

Ponemon Institute surveyed 648 IT and IT security professionals at healthcare organizations to compose its third annual report on the effects of cybersecurity on patient safety and care. Respondents reported delays in tests and procedures, increased complications from medical procedures, an increase in patient diversions to other facilities, longer lengths of stay and increased mortality rates.

Of the four attack types studied in the report -- cloud account compromise, supply chain attacks, ransomware and business email compromise -- respondents reported the most patient safety effects stemming from supply chain attacks. More than 65% of respondents said their organizations reported an average of four attacks against their supply chains in the past two years, and 82% said it resulted in disruption to patient care. That figure is up from 77% in 2023.

Ransomware remains a top threat to healthcare, but just 54% of survey respondents reported believing their organizations were vulnerable or highly vulnerable to ransomware attacks, compared to 64% in 2023. Fewer organizations reported paying ransoms in the 2024 report, but the ransom amount paid went up by 10% to an average of $1.09 million.

In the aftermath of a cyberattack, respondents reported high rates of data loss or exfiltration. More than 90 percent of organizations suffered at least two data loss incidents in the last two years that involved confidential healthcare data. Those organizations said that the attacks caused delays in procedures and tests, resulting in poor patient outcomes.

As cyberattacks continue to trouble the healthcare sector, 55% of health IT security professionals reported believing that they lack in-house expertise, and 49% of respondents said they lack clear leadership. Although reports of leadership challenges increased, budgets did as well. The average annual budget for IT increased to $66 million, up 12% year-over-year. Ponemon Institute also observed an increase in actions by healthcare organizations to reduce the security risks caused by employees. Nearly 60% of respondents said they conduct regular training programs.

"This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyber attacks is critical to ensuring continuity in patient care and avoiding disruption of critical services," Ryan Witt, chair of the healthcare customer advisory board at Proofpoint, said in a press release.

"And while security awareness is foundational, driving sustained behavior change through programs tailored to specific roles and responsibilities will help support both organizational and patient safety."

Respondents reported using antivirus tools, encryption for data in transit, privileged access management, and other tools to mitigate risk. While security actions are improving, the report showed room for improvement in enhancing IT security leadership, reducing patient safety risks, and preventing cyberattacks.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.