As the Ponemon Institute found out in a study, cyber attacks lead to an increased mortality rate in more than 20 percent of affected US healthcare facilities. Cyber attacks result in delays in treatment or testing. That costs lives.
Proofpoint, Inc., one of the leading next-generation cybersecurity and compliance companies, and the Ponemon Institute, a leading IT security research institute, present the results of a new study on the consequences of cyber attacks in healthcare. The report, titled "Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care," found that 89 percent of organizations surveyed had experienced an average of 12 attacks over the past 43 months -- nearly one attack per week. More than 20 percent of organizations affected by the four most common attack types (cloud compromise, ransomware, supply chain attack, or business email compromise (BEC)) saw an increase in patient mortality.
Many attacks = increased patient mortality
641 healthcare IT and security professionals were interviewed for the study. According to the study, delays in treatment and testing are the most common consequences of attacks. This results in poorer patient outcomes for 57 percent of US healthcare providers and increased complications from medical procedures for nearly half. The type of attack most likely to negatively impact patient care is ransomware. It causes delays in treatment or testing for 64 percent of organizations and longer patient stays for 59 percent of organizations.
"The attacks we analyzed place a significant drain on healthcare resources. Not only do they generate enormous costs, but they also have a direct impact on patient care and put people's safety and well-being at risk," said Larry Ponemon, Chairman and Founder of the Ponemon Institute. "Most IT and security professionals consider their organizations vulnerable to these attacks, and two-thirds believe that technologies such as cloud computing, mobile computing, big data and the IoT continue to exacerbate risks to patient data and security."
Important results of the study:
- The insecure Internet of Medical Things (IoMT) is a big problem. On average, healthcare organizations have more than 26.000 devices connected to the network. Although 64 percent of respondents are concerned about the security of medical devices, only 51 percent include them in their cybersecurity strategy.
- healthcare companies feel both most vulnerable and best prepared for cloud risks. 75 percent of respondents said their organization is at risk from cloud attacks, and 54 percent confirmed their organization had been hit by a successful cloud attack at least once in the last two years. The companies in this group have faced an average of 22 such cases over the past two years. On the one hand, they are most at risk, but on the other they are the best prepared for a cloud breach: 63 percent of the respondents are focused on taking measures to prepare for and respond to these attacks.
- Ransomware is the second biggest threat. 72 percent of respondents believe their organizations are at risk from ransomware attacks, and 60 percent say this type of attack worries them the most. Accordingly, 62 percent have taken measures to prevent and respond to ransomware attacks.
- Poor preparation puts patients at risk. Although 71 percent of respondents think they are at risk from supply chain attacks and 64 percent feel the same about BEC and phishing, only 44 percent and 48 percent, respectively, have a defined method of responding to these attacks.
- The financial damage caused by cyber attacks is enormous. The most costly cyberattack cost affected organizations an average of $12 million over the past 4,4 months, with lost productivity having the largest financial impact ($1,1 million).
Training and awareness programs as well as monitoring of employees are the most important protective measures. Organizations are increasingly realizing that careless and neglectful employees pose a significant risk. Fifty-nine percent are taking action to address employee awareness, with 59 percent conducting regular training and awareness programs and 63 percent monitoring employee activity. - Lack of financial means and resources remain a challenge. 53 percent of participants said a lack of in-house expertise is a challenge, and 46 percent said they have insufficient staff, both of which factors negatively impact cybersecurity.
Weak points must be eliminated
“Compared to other industries, healthcare has traditionally lagged behind when it comes to eliminating weak points. And that inaction has a direct negative impact on patient safety and health,” said Ryan Witt, Healthcare Cybersecurity Leader at Proofpoint. “As long as cybersecurity is a lower priority, healthcare providers will be putting their patients at risk. To avoid fatal repercussions, healthcare organizations need to understand how cybersecurity is affecting their patient care and take steps to protect people and data.”
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.