In the third year of the healthcare cybersecurity study, conducted by the Ponemon Institute and Proofpoint, the aim was to determine whether the healthcare industry saw progress in maintaining healthcare delivery in the face of four types of ubiquitous cyberattacks: Cloud compromise , supply chain, ransomware and business email compromise.
While respondents felt that attacks had a direct negative impact on patient safety, fewer respondents said they did not have enough budget to improve cybersecurity, representing a 7% decrease from last year’s results. However, the number of people citing a lack of safety leadership has increased significantly since 2023 – from 14% to 49%.
“The good news, however, is that the healthcare industry appears to be increasingly recognizing the importance that cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT professionals report a budget challenge that prevents them from fully utilizing their organization’s cybersecurity posture. effective,” said Larry Ponemon, president and founder of the Ponemon Institute, in a statement.
The average annual budget increased 12% year-over-year and IT budgets increased to an average of $66 million, according to the report.
WHY IT’S IMPORTANT
For the new reportCyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024, researchers surveyed 648 IT and IT security professionals at US healthcare organizations and found that 92% had experienced at least one cyber attack in the past twelve months, up from 88% in the past twelve months. the previous year.
The average number of cyber attacks that organizations said they had experienced was 40. When asked to estimate the most expensive cyber attack in the past 12 months, the average total cost was over $4.7 million – a decrease of 5% from from last year.
Most healthcare organizations that experienced business email compromises (69%) and ransomware (61%) reported delays in procedures and tests, the researchers said. Longer lengths of stay, increased complications, patient diversion and increases in mortality rates were also cited as major impacts for all types of cyber attacks analyzed.
When it comes to supply chain attacks, 68% of respondents said their organizations had experienced at least one, and 82% of those organizations reported disruptions to patient care, up 5% from last year.
Notably, respondents’ concerns about insecure mobile apps have increased to 59%, up from 51% in 2023, falling behind unsafe medical devices (64%) and ahead of cloud compromises (57%) and employee errors ( 58%).
For the 36% of respondents who said their organization paid for ransomware – 7% less this year than last – payouts rose 10%, to an average of $1.1 million. Last year’s survey found that the most common impact of ransomware on lives was an increase in the number of patients transferred or diverted to other facilities, reported by 70% of respondents, up from 65% in 2022.
For this year’s study, researchers looked at the impact of artificial intelligence for the first time. More than half (54%) of respondents say their organizations have embedded AI in cybersecurity (28%), and 57% say AI is highly effective in improving organizations’ cybersecurity.
THE BIG TREND
When the institute discovered a link between ransomware and increased patient mortality in 2021, many healthcare leaders called it an urgent wake-up call for the industry to transform its cybersecurity and third-party risk programs.
Data loss and exfiltration continue to impact patient mortality and remain a problem. About 92% of the institute’s respondents this year said they had at least two sensitive data loss incidents in the past two years. More than half of them (51%) said there were disruptions in patient care that increased their organizations’ mortality rates.
Last year, the institute looked at benchmarking factors in deploying risk mitigation resources, such as workforce investments in increasing surveillance of third-party risks and funding for new cyber-preparedness technologies. In November, providers reported significant increases in their 2024 IT budget.
ON THE RECORD
“Over the past two years, by far, the majority of cyberattacks have involved cloud-based user accounts,” Ponemon researchers said. “SMS and email were the two most attacked cloud-based user accounts/collaboration tools.”
“An effective cybersecurity approach focused on stopping human-centric attacks is critical for healthcare organizations, not only to protect confidential patient data, but also to maintain the highest quality of medical care,” said Ryan Witt, President of the Healthcare Customer Advisory Board at Proofpoint, in a statement.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.