Now in its third year, the Ponemon Institute and Proofpoint’s healthcare cybersecurity study sought to determine whether the healthcare industry has made progress in maintaining care delivery in the face of four types of pervasive cyberattacks – cloud, supply chain, ransomware and business email breaches.
Although respondents said attacks had a direct negative impact on patient safety, fewer said they did not have enough budget to improve cybersecurity, a 7% decline from last year. However, since 2023, the number of people citing a lack of leadership in the field of security has increased significantly – from 14% to 49%.
“The good news, however, is that the healthcare industry appears to be increasingly recognizing the importance that cybersecurity plays in patient outcomes; On average, IT budgets have increased, and fewer IT professionals indicate that their budget is a challenge when it comes to keeping their organization’s cybersecurity posture fully effective,” Larry Ponemon, president and founder of the Ponemon Institute, said in a statement.
The report found that the average annual budget increased by 12% year over year, and IT budgets increased to an average of $66 million.
WHY IT’S IMPORTANT
For the novel one reportCyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024, researchers surveyed 648 IT and IT security professionals in U.S. healthcare organizations and found that 92% had experienced at least one cyberattack during last 12 months, compared to 88% the previous year.
The average number of cyberattacks organizations experienced was 40. When asked to estimate the single most exorbitant cyberattack over the past 12 months, the average total cost was over $4.7 million, down 5% from last year.
Most healthcare organizations that experienced corporate email (69%) and ransomware (61%) breaches reported delays in procedures and testing, researchers said. Longer stays, increased complications, patient distraction and increased mortality rates were also cited as the main impacts of all types of cyberattacks analyzed.
When it comes to supply chain attacks, 68% of respondents said their organizations had experienced at least one, and 82% of those organizations reported disruptions to patient care, a 5% augment from last year.
Notably, respondents’ concerns about insecure mobile apps increased to 59%, up from 51% in 2023, lagging behind insecure medical devices (64%) and ahead of cloud threats (57%) and bugs employees (58%).
For the 36% of respondents who said their organizations had paid for ransomware – down 7% this year from last year – payouts increased 10% to an average of $1.1 million. Last year’s survey found that the most common impact of ransomware was an augment in the number of patients transferred or referred to other facilities, reported by 70% of respondents, up from 65% in 2022.
In this year’s study, scientists looked at the impact of artificial intelligence for the first time. More than half (54%) of respondents said their organizations had built AI into cybersecurity (28%), and 57% said AI was very effective in improving their organization’s cybersecurity posture.
A BIGGER TREND
When the institute discovered a link between ransomware and increased patient mortality in 2021, many healthcare leaders saw it as an urgent wake-up call for the industry to change its cybersecurity and third-party risk programs.
Data loss and exfiltration continue to impact patient mortality and remain a concern. About 92% of the institute’s respondents this year said they had experienced at least two sensitive data losses in the past two years. More than half (51%) said disruptions in patient care increased mortality rates in their organizations.
Last year, the institute looked at benchmarks for risk-mitigation resources, such as staffing investments for growing third-party risk oversight and funding for novel cyber-readiness technologies. Through November, vendors reported significant increases in their 2024 IT budget.
ON RECORDING
“Over the past two years, by far, most cyberattacks have targeted user accounts in the cloud,” Ponemon researchers said. “Text messaging and email are the two most frequently attacked user accounts/cloud collaboration tools.”
“An effective cybersecurity approach that focuses on stopping human-targeted attacks is critical for healthcare organizations not only to protect confidential patient information, but also to maintain the highest quality of care,” said Ryan Witt, chairman of the Advisory Board Healthcare Clients at Proofpoint in a statement.