HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks

A recent study has revealed that more than 20% of healthcare organizations experienced an increase in mortality rate after a significant cyberattack and more than half of surveyed healthcare organizations (57%) said they experienced poorer patient outcomes, with almost half reporting an increase in medical complications.  The most common consequences of the attacks that contributed to poorer patient outcomes were delays to procedures and tests.

The study was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 641 healthcare IT and security practitioners in the United States, with the findings detailed in the report, Cyber Insecurity in Healthcare; The Cost and Impact on Patient Safety and Care.  The findings mirror those of a previous study conducted by the Ponemon Institute in 2021 on behalf of Censinet. That study was conducted on 597 healthcare respondents and one-fifth (22%) said they experienced an increase in their mortality rates following a ransomware attack.

The latest study used a broader definition of cyberattack, which includes the four most common types of attack – cloud compromise, ransomware, business email compromise/phishing, and supply chain, and therefore indicates it is not only ransomware attacks that negatively affect patient outcomes. Ransomware attacks result in file encryption which can take critical IT systems out of action, but oftentimes healthcare organizations are forced to shut down IT systems to contain an attack. The recovery time from a ransomware attack is typically longer than other types of attack, with the survey establishing that ransomware attacks have the biggest impact out of the four most common types of attack. 64% of surveyed healthcare organizations said they experienced delays in medical tests and procedures following a ransomware attack and 59% said the attacks resulted in longer patient stays.

It should be noted that both studies established that there is a correlation between the worst types of cyberattacks and adverse patient outcomes but did not prove causation. Further studies need to be conducted to establish exactly what aspects of the attacks are having the biggest negative impact on patient outcomes and lead to an increase in mortality rate.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”

The Proofpoint survey also showed the extent to which healthcare organizations are being attacked. 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months, although the extent to which those attacks were successful is unclear. Cyberattacks on healthcare organizations have a significant financial impact. A previous study, conducted by the Ponemon Institute on behalf of IBM Security, found the average cost of a cyberattack has increased to $4.4 million, with the healthcare industry having the highest breach costs out of all industry sectors, with the average cost of a healthcare data breach rising to $10.1 million.

Healthcare Cybersecurity Challenges and Biggest Security Risks

One of the biggest challenges faced by healthcare organizations is recruiting the necessary talent to defend against attacks, with the lack of in-house expertise rated as a major challenge by 53% of respondents. 46% said they lacked sufficient staffing in cybersecurity and both factors had a negative effect on organizations’ security posture.

Respondents were asked about their biggest security concerns, with one of the main worries being medical device security. On average healthcare organizations have 26,000 medical devices connected to the network, and these were considered a cybersecurity risk by 64% of respondents, yet only 51% of respondents said they included these devices in their cybersecurity strategy.

The biggest perceived vulnerability was cloud compromise, with 75% of respondents saying they were vulnerable to cloud compromise, and 72% saying they were vulnerable to ransomware attacks. 54% of organizations said they had experienced a cloud compromise in the past 2 years, with those organizations experiencing an average of 22 such compromises; however, 64% of organizations said they had taken steps to prepare for and respond to those attacks. 60% of organizations said they were most concerned about ransomware attacks, and 62% said they had taken steps to prevent and respond to ransomware attacks.

71% of organizations said they were vulnerable to supply chain attacks and 64% felt vulnerable to BEC and spoofing/phishing attacks, yet only 44% and 48% said they had documented response plans for these attacks.

Defending Against Healthcare Cyberattacks

Cyberattacks on the healthcare industry are increasing in number and sophistication. The key to protecting against these attacks is a defense in depth approach with multiple overlapping layers of protection. It is also important to have a documented and practiced incident response plan in place for each major type of attack. The lack of preparedness for responding to cyberattacks can put patient safety at risk. Having an incident response plan in place, where all individuals involved in the response know their roles and responsibilities can shorten the recovery time considerably, which limits the negative impact on patients and reduces the financial cost. Having consultants and cybersecurity firms in place that fully understand an organization’s infrastructure is a huge advantage and ensures the fastest possible response in the event of a successful attack.

While cyberattacks can be sophisticated, they often start with a social engineering or phishing attack. The importance of employee education cannot be overstated. All employees should be made aware of the importance of good cyber hygiene and what that entails, and they should be trained on how to recognize social engineering and phishing attacks. Providing regular cybersecurity awareness training to employees and testing with phishing simulations can significantly reduce risk over time.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader, Proofpoint. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.