92% Of U.S. Healthcare Organizations Experienced a Cyberattack in the Past Year
Virtually all healthcare organizations have experienced at least one cyberattack in the past 12 months, according to a recent survey by the Ponemon Institute on behalf of Proofpoint. The survey was conducted on 648 IT/IT Security professionals at U.S. healthcare organizations and 92% said they had experienced at least one cyberattack in the past year, up from 88% of respondents in 2023.
This year, out of the healthcare organizations that experienced a cyberattack, the average number of attacks was 40, although many, but not all, were halted before they escalated. 69% of respondents said at least one cyberattack disrupted patient care, 56% of respondents said they experienced poor patient outcomes due to delays in procedures and tests, 53% experienced an increase in medical procedure complications, and 28% said the patient mortality rate increased.
Cyberattacks are proving incredibly costly for healthcare organizations. Respondents were asked about the single most expensive attack they experienced. Including all direct cash outlays, direct labor expenses, indirect labor costs, overhead costs, and lost business opportunities, the average cost to the organization was $4,740,000, up 5% from the previous year. The losses ranged from $10,000 to more than $25 million.
The biggest expense was system unavailability due to a cyberattack which cost an average of $1.47 million, up 13% from 2023, followed by users’ idle time and lost productivity due to system downtime, which cost an average of $995,484, down 9.5% from the previous year. The third biggest cost was correcting the impact on patient care, which decreased by almost 15% from 2023 to $853,272.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Proofpoint’s Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024 report, the most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC). Supply chain attacks were experienced by 68% of surveyed organizations and 82% said they had an impact on patient care, up from 77% in 2023. Out of the four most common attack types, BEC attacks were the most likely to result in poor outcomes due to delayed procedures and tests (69%) followed by ransomware attacks (61%). Ransomware attacks were the most likely of the four types of attacks to result in longer hospital stays (58%) and patients being diverted/transferred to other healthcare facilities (52%).
Healthcare organizations are less concerned about their ability to defend against ransomware attacks than in 2023, with 54% of respondents believing they are vulnerable to ransomware attacks, down from 64% in 2023. 59% of respondents said they had experienced at least one ransomware attack in the past 2 years, with an average of 4 ransomware attacks in the past 2 years. Only 36% of attacked organizations paid the ransom, down from 40% in 2023. Cybercriminals have responded to the fall in ransom payments by charging more. The average ransom payment increased by 10% year-over-year to $1,099,200.
More than 9 out of 10 organizations said they had experienced a data loss or data exfiltration event in the past two years. 51% of respondents said the incident impacted patient care, 50% said the incident caused an increase in mortality rate, and 37% said the incident resulted in delays to procedures or tests that caused poor outcomes. The root cause of around 20% of those incidents was employees, with the main causes being the failure to follow procedures (31%), accidental data loss (26%), and the emailing of ePHI to incorrect recipients (21%). There has been an increase in the number of organizations addressing employees’ lack of cybersecurity awareness through training (71%), although only 59% said they provide regular training and awareness programs.
For this year’s report, Proofpoint looked at the role of AI and machine learning in healthcare. 28% of respondents said they use AI for cybersecurity and 26% use AI for cybersecurity and patient care. More than two-thirds (67%) of IT security professionals who have implemented AI believe it to be very effective at improving their security posture.
“An effective cybersecurity approach centered around stopping human-targeted attacks is crucial for healthcare institutions, not just to protect confidential patient data but also to maintain the highest quality of medical care,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyber attacks is critical to ensuring continuity in patient care and avoiding disruption of critical services. And while security awareness is foundational, driving sustained behavior change through programs tailored to specific roles and responsibilities will help support both organizational and patient safety.”
