How Healthcare Cyberattacks Can Impact Patient Safety, Care Delivery

September 08, 2022 - Along with documented financial losses and reputational harm, healthcare cyberattacks may endanger patient safety and adversely impact care delivery.

With the goal of understanding how various healthcare cyberattack types can impact patient safety, Proofpoint commissioned Ponemon Institute to survey IT and IT security professionals in the healthcare sector. The survey included self-reported responses from 641 experts in the field.

Patient Safety Implications

Specifically, researchers focused on four common types of healthcare cyberattacks: ransomware, business email compromise (BEC) attacks, cloud compromises, and supply chain attacks. Nearly 90 percent of all survey respondents said that their organizations had experienced at least one cyberattack in the past 12 months.

Although correlation and causation are difficult to determine with absolute certainty, the results showed that survey respondents with day-to-day experience in the field have felt the tangible impacts a cyberattack can have on patient care at alarming rates.

For example, when asked how a ransomware attack impacted patient safety and care delivery within their organizations, 64 percent of respondents reported delays in procedures and tests.

READ MORE: 5 Security Vulnerabilities Found in Contec Vital Signs Patient Monitors

Additionally, 24 percent of respondents reported an increase in mortality rates, and 59 percent said that it resulted in longer stays. Half of respondents said that there was an increase in patients transferred to other facilities.

Across the board, ransomware attacks appeared to have the biggest impact on patient safety in the eyes of IT and IT security professionals. More than 70 percent of respondents reported believing that their organizations were vulnerable to ransomware.

Ransomware was unsurprisingly a top concern for cyber leaders, but organizations reported even higher levels of vulnerability to cloud compromise (75 percent). In the past two years, 54 percent of respondents said that their organization had experienced at least one cloud compromise. Those who experienced a cloud compromise reported a high frequency of delays in procedures and tests, and 18 percent of respondents reported an uptick in mortality rates.

The report also noted the prevalence of business email compromise (BEC) attacks, which include social engineering, phishing, and spoofing. Just over half of respondents said that they experienced at least one BEC incident in the past two years, and 64 percent of respondents reported believing that their organizations were vulnerable to BEC attacks.

Behind ransomware, BEC attacks appeared to have the most significant impacts on patient safety in many categories. Sixty percent of respondents reported delays in procedures, and 48 percent reported longer lengths of stay. In addition, 51 percent of respondents reported an increase in complications from medical procedures.

READ MORE: Biggest Healthcare Data Breaches Reported This Year, So Far

The final category analyzed by researchers was supply chain attacks, of which 71 percent of organizations believed they were vulnerable. Half of the respondents said that their organizations experienced at least one supply chain attack in the past two years. Supply chain attacks had the same reported effect on mortality rates as ransomware attacks, with 21 percent of respondents reporting increased mortality rates after a supply chain attack.

Additionally, 48 percent of respondents reported an increase in complications from medical procedures, and 51 percent reported longer stays.

The survey results showed a significant connection between healthcare cyberattacks and disruptions in day-to-day operations, which could negatively impact patient safety. These findings further underscore the need to prioritize cybersecurity in healthcare.

Budget, Staffing Challenges Leave Healthcare Vulnerable

Despite expressing significant concern over a variety of attack vectors and vulnerabilities, healthcare cybersecurity experts are still struggling to obtain the resources needed to truly prioritize cybersecurity, the data suggested.

More than half of respondents pointed to a lack of in-house expertise as a top challenge to having an effective cybersecurity posture, and half of the respondents noted a lack of collaboration with other functions.

READ MORE: Evil Corp Cybercriminal Syndicate Poses Threat to Healthcare Cybersecurity

Nearly half of respondents said that their organizations had insufficient staffing, and 41 percent of respondents pointed to budget as a bottleneck. What’s more, 40 percent of respondents said that cybersecurity was not considered a priority within their organizations, and 35 percent said that their organizations did not have an understanding of how to protect against cyberattacks.

While 64 percent of respondents identified insecure medical devices as their top cybersecurity concern, only 51 percent said that their organizations had policies and procedures in place to prevent and respond to an attack on these devices.

In addition, less than half of the respondents said that they had implemented steps to prevent a BEC attack. Instead, organizations are focusing more of their efforts on securing their cloud environments and preparing for ransomware.

Effectively Reducing Cyber Risk

Despite these shortcomings, most healthcare organizations are still taking proactive steps toward enhancing their security postures. A combination of various detection, prevention, and response strategies can help organizations significantly reduce risk.

Nearly 60 percent of respondents said that their organizations took steps to educate employees about cyber threats, with 63 percent saying that they conduct regular training and awareness programs. Employee training programs are crucial to mitigating the risk of insider threats and ensuring that employees recognize the signs of phishing and other social engineering tactics.  

Encryption, tokenization, and other cryptographic tools were popular among respondents when it came to securing sensitive information in the cloud. Additionally, the majority of respondents said that they utilized premium security services provided by their cloud service provider.

“Ensuring security without diminishing user productivity is considered essential to organizations’ cybersecurity strategy,” the report continued.

“It is critical in healthcare organizations to have a productive workforce while effectively securing highly sensitive and confidential patient information. Lost productivity is also the highest cost incurred when responding to a cyberattack ($1.1 million).”

Nearly 80 percent of respondents described adaptive access controls as essential to reducing cybersecurity threats without diminishing productivity. Respondents also felt strongly about strong authentication prior to accessing data and applications in the cloud, as well as supporting multiple identity federation standards, including SAML.

Respondents reported using identity and access management tools, multi-factor authentication, and various threat intelligence solutions in order to further mitigate risk.

Interestingly, the most popular tools among respondents were also likely to be the most fundamental security tools, such as firewalls and anti-malware. Even with limited budgets and staff, organizations can greatly improve their security postures by implementing basic security measures along with prevention and detection tools.