Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023

A strong cybersecurity posture in healthcare organizations is important to not only safeguard sensitive patient information but also to deliver the best possible medical care. This study was conducted to determine if the healthcare industry is making progress in achieving these two objectives.

With sponsorship from Proofpoint, Ponemon Institute surveyed 653 IT and IT security practitioners in healthcare organizations who are responsible for participating in such cybersecurity strategies as setting IT cybersecurity priorities, managing budgets and selecting vendors and contractors.

The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023,” found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyber attack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)—an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates. These numbers reflect last year’s findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyber attacks on patient safety and wellbeing.

According to the research, 88 percent of organizations surveyed experienced at least one cyberattack in the past 12 months. For organizations in that group, the average number of cyberattacks was 40. We asked respondents to estimate the single most expensive cyberattack experienced in the past 12 months from a range of less than $10,000 to more than $25 million. Based on the responses, the average total cost for the most expensive cyberattack was $4,991,500, a 13 percent increase over last year. This included all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.

At an average cost of $1.3 million, disruption to normal healthcare operations because of system availability problems was the most expensive consequence of the cyberattack, an increase from an average of $1 million in 2022. Users’ idle time and lost productivity because of downtime or system performance delays cost an average of $1.1 million, the same as in 2022. The cost of the time required to ensure the impact on patient care was corrected increased from an average of $664,350 in 2022 to $1 million in 2023.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

The report analyzes four types of cyberattacks and their impact on healthcare organizations, patient safety and patient care delivery:

Cloud compromise. The most frequent attacks in healthcare are against the cloud, making it the top cybersecurity threat, according to respondents. Seventy-four percent of respondents say their organizations are vulnerable to a cloud compromise. Sixty-three percent say their organizations have experienced at least one cloud compromise. In the past two years, organizations in this group experienced 21 cloud compromises. Sixty-three percent say they are concerned about the threat of a cloud compromise, an increase from 57 percent.

Business email compromise (BEC)/spoofing phishing. Concerns about BEC attacks have increased significantly. Sixty-two percent of respondents say their organizations are vulnerable to a BEC/spoofing phishing incident, an increase from 46 percent in 2022. In the past two years, the frequency of such attacks increased as well from an average of four attacks to five attacks.

Ransomware. Ransomware has declined as a top cybersecurity threat. Sixty-four percent of respondents believe their organizations are vulnerable to a ransomware attack. However, as a concern ransomware has decreased from 60 percent in 2022 to 48 percent in 2023. In the past two years, organizations that had ransomware attacks (54 percent of respondents) experienced an average of four such attacks, an increase from three attacks. While fewer organizations paid the ransom (40 percent in 2023 vs. 51 percent in 2022), the ransom paid increased nearly 30 percent from an average of $771,905 to $995,450.

Supply chain attacks. Organizations are vulnerable to a supply chain attack, according to 63 percent of respondents. However, only 43 percent say this cyber threat is of concern to their organizations. On average, organizations experienced four supply chain attacks in the past two years.

As in the previous report, an important part of the research is the connection between cyberattacks and patient safety. Following are trends in how cyberattacks have affected patient safety and patient care delivery.

  • It is more likely that a supply chain attack will affect patient care. Sixty-four percent of respondents say their organizations had an attack against their supply chains. Seventy-seven percent of those respondents say it disrupted patient care, an increase from 70 percent in 2022. Patients were primarily impacted by delays in procedures and tests that resulted in poor outcomes such as an increase in the severity of an illness (50 percent) and a longer length of stay (48 percent). Twenty-one percent say there was an increase in mortality rate.
  • A BEC/spoofing attack can disrupt patient care. Fifty-four percent of respondents say their organizations experienced a BEC/spoofing incident. Of these respondents, 69 percent say a BEC/spoofing attack against their organizations disrupted patient care, a slight increase from 67 percent in 2022. And of these 69 percent, 71 percent say the consequences caused delays in procedures and tests that have resulted in poor outcomes while 56 percent say it increased complications from medical procedures.
  • Ransomware attacks can cause delays in patient care. Fifty-four percent of respondents say their organizations experienced a ransomware attack. Sixty-eight percent of respondents say ransomware attacks have a negative impact on patient care. Fifty-nine percent of these respondents say patient care was affected by delays in procedures and tests that resulted in poor outcomes and 48 percent say it resulted in longer lengths of stay, which affects organizations’ ability to care for patients.
  • Cloud compromises are least likely to disrupt patient care. Sixty-three percent of respondents say their organizations experienced a cloud compromise, but less than half (49 percent) say cloud compromises disrupted patient care. Of these respondents, 53 percent say these attacks increased complications from medical procedures and 29 percent say they increased mortality rate. 
  • Data loss or exfiltration disrupts patient care and can increase mortality rates. All organizations in this research had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data in the past two years. On average, organizations experienced 19 such incidents in the past two years and 43 percent of respondents say they impacted patient care. Of these respondents, 46 percent say it increased the mortality rate and 38 percent say it increased complications from medical procedures. 

Other key trends in cyber insecurity

Concerns about threats related to employee behaviors increased significantly. Substantially more organizations are now worried about the security risks created by employee-owned devices (BYOD), an increase from 34 percent in 2022 to 61 percent of respondents. Concerns about BEC/spoof phishing increased from 46 percent to 62 percent in 2023.

Disruption to normal healthcare operations because of system availability problems increased to $1.3 million from $1 million in 2022. Users’ idle time and lost productivity because of downtime or system performance delays averaged $1.1 million. The cost of the time taken to ensure impact on patient care was corrected increased to $1 million in 2023 from $664,350 in 2022.

Accidental data loss is the second highest cause of data loss and exfiltration. Accidental data loss can occur in many ways, such as employees misplacing or losing devices that contain sensitive information, or mistakes made when employees are emailing documents with sensitive information. Almost half of respondents (47 percent) say their organizations are very concerned that employees do not understand the sensitivity and confidentiality of documents they share by email.

More progress is needed to reduce the risk of data loss or exfiltration. All healthcare organizations in this research have experienced at least one data loss or exfiltration incident involving sensitive and confidential healthcare data. The average number of such incidents is 19.

Cloud-based user accounts/collaboration tools that enable productivity are most often attacked. Fifty-three percent of respondents say project management tools and Zoom/Skype/video conferencing tools at some point were attacked.

Organizations continue to deploy a combination of approaches to user access and identity management in the cloud (56 percent of respondents). These include separate identity management interfaces for the cloud and on-premises environments, unified identity management interfaces for both the cloud and on-premises environments, and deployment of single sign-on.

The lack of preparedness to stop BEC/spoof phishing and supply chain attacks puts healthcare organizations and patients at risk.  While BEC/spoof phishing is considered a top cybersecurity threat, only 45 percent of respondents say their organizations include steps to prevent and respond to such an attack as part of their cybersecurity strategy. Similarly, only 45 percent say their organizations have documented the steps to prevent and respond to attacks in the supply chain. Malicious insiders are seen as the number one cause of data loss and infiltration — however, only 32 percent say they are prepared to prevent and respond to the threat. 

The primary deterrents to achieving an effective cybersecurity posture are a lack of in-house expertise, staffing and budget. Fifty-eight percent of respondents, an increase from 53 percent in 2022, say their organizations lack in-house expertise and 50 percent say insufficient staffing is a challenge. Those citing insufficient budget increased from 41 percent to 47 percent in 2023.

Security awareness training programs continue to be the primary step taken to reduce the insider risk. Negligent employees pose a significant risk to healthcare organizations. More organizations (65 percent in 2023 vs. 59 percent of respondents in 2022) are taking steps to address the risk of employees’ lack of awareness about cybersecurity threats. Of these respondents, 57 percent say they conduct regular training and awareness programs. Fifty-four percent say their organizations monitor the actions of employees.

The use of identity and access management solutions to reduce phishing and BEC attacks has increased from 56 percent of respondents in 2022 to 65 percent in 2023. The use of domain-based message authentication (DMARC) increased from 38 percent in 2022 to 43 percent in 2023.

To read the full report, download it from Proofpoint’s website.

Leave a Reply

Your email address will not be published. Required fields are marked *