The Third Annual Ponemon Institute Study: Almost Seventy Percent of Healthcare Institutions Encountered Disruption to Patient Care Due to Cyber Incidents
With an average price tag of $1.47 million, the interference with regular healthcare activities caused by system availability issues continues to be the most costly outcome of a cyber assault
SUNNYVALE, Calif., October 8, 2024 – Proofpoint, Inc., a key player in cybersecurity and compliance, collaboratively with Ponemon Institute, a leading IT security research entity, have unveiled the outcomes of their annual survey on the impacts of cybersecurity in the medical sector. The report, titled “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024,” reveals that 92% of surveyed healthcare organizations faced at least one cyber intrusion in the prior year, a rise from 88% in 2023, with 69% documenting disruption to patient care.
Among the entities subjected to the four most prevalent types of breaches – cloud exploitation, ransomware, supply chain issues, and business email compromises (BEC) – 56% reported compromised patient outcomes due to procedural and examination delays, 53% observed an uptick in medical procedure complications, and 28% noticed a rise in patient deaths—an escalation of five percentage points from the previous year. These results suggest that healthcare institutions are still grappling with lessening the dangers that such attacks present to patient health and welfare.
The study, which polled 648 IT and security professionals in American healthcare facilities, highlighted that supply chain assaults are most likely to have an impact on patient care. Over two-thirds (68%) of respondents disclosed attacks on their supply chains, with 82% stating that patient care was disrupted, an increase from 77% in 2023. BEC leads the cluster of breaches most prone to resulting in subpar outcomes due to procedural and examination postponements (69%), followed by ransomware (61%), which also tends to lead to prolonged hospital stays (58%) and an increase in patients redirected or transferred to other facilities (52%).
“Our third annual review aimed to evaluate the progress made by the healthcare sector in shrinking human-centered cybersecurity vulnerabilities and the subsequent impact on patient care,” stated Larry Ponemon, the founder, and chairman of the Ponemon Institute. “For the third consecutive year, we have found that the four types of analyzed breaches have a direct detrimental effect on patient safety and health. Encouragingly, the healthcare industry appears to be increasingly cognizant of the significance cybersecurity holds in patient outcomes; on average, IT budgets have expanded, and a fewer number of IT professionals are indicating budget as a hurdle in bolstering their establishment’s cybersecurity position to utmost effectiveness.”
Other significant discoveries from the study comprise:
- Surge in ransomware payouts, despite reduced anxiety surrounding it: More than half (54%) of participants believe their organizations are prone or highly vulnerable to ransomware attacks, a drop from 64% in 2023. Facilities impacted by ransomware attacks (59% of participants) underwent an average of four such incidents in the past two years. Though fewer organizations yielded to ransom demands (36% in 2024 vs. 40% in 2023), the average payout spiked by 10% to $1,099,200 compared to $995,450 in the previous year.
- Vulnerable mobile applications and cloud/account breaches are perceived as the primary cyber menaces to healthcare entities: Apprehensions linked to insecure mobile apps (eHealth) have grown to become the foremost cybersecurity peril in healthcare, surging from 51% in 2023 to 59% of respondents in 2024. Cloud/account breaches emerged as the second most significant worry (55%), with text messaging being the top targeted collaboration tool (61%), trailed by email (59%). Organizations are less apprehensive about staff-owned mobile devices or Bring Your Own Device (BYOD) practices.
- Further strides needed in curbing internal risks: More than ninety percent of polled organizations encountered at least two incidents of data loss or exfiltration involving sensitive and confidential information over the preceding two years. 51% voiced that such incidents adversely affected patient care; among those, 50% reported heightened mortality rates and 37% notice delays in procedures and examinations leading to unfavorable outcomes. Over the two-year period, institutions underwent an average of 20 such occurrences with staff being the primary instigator. Employee carelessness stemming from non-compliance with protocols (31%), accidental data loss (26%), and the unwitting transmission of Personal Identifiable Information (PII) and Protected Health Information (PHI) to an unintended recipient via email (21%) were the predominant issues.
- The dearth of distinct leadership poses a looming challenge and risk to healthcare organizations’ cybersecurity posture: With 55% of poll attendees suggesting that their institutions lack in-house expertise as a core deterrent to erecting a robust cybersecurity stance, the scarcity of clear guidance as a hurdle has burgeoned significantly since 2023, escalating from 14% to 49% of participants. The concern over budget constraints diminished from 47% to 40% of respondents in 2024.
- Conventional compliance-oriented security training programs are proving ineffective: Negligent staff stands as a substantial threat to healthcare establishments. While an increased number of entities (71% in 2024 vs. 65% of participants in 2023) are taking measures to tackle the menace posed by staff unawareness about cybersecurity threats, the effectiveness in mitigating these perils is under scrutiny. Nearly three in five participants (59%) revealed that they carry out regular training and awareness sessions.
- Role of AI and machine learning in healthcare: The influence that AI is exerting in the realm of security and patient welfare was scrutinized for the first time. Over half (54%) of participants stated that their institutions have integrated AI in cybersecurity (28%) or have embedded it in both cybersecurity and patient care (26%). 57% of these respondents affirmed that AI significantly enhances their establishments’ cybersecurity posture, with more than a third (36%) leveraging AI and machine learning to comprehend human behavior.
“An efficient cybersecurity strategy revolving around countering human-targeted intrusions is vital for healthcare organizations, not solely to safeguard private patient data but also to preserve the utmost quality of medicinal care,” remarked Ryan Witt, chair of the Healthcare Customer Advisory Board at Proofpoint. “This report underscores the interdependency of cyber security with patient safety; shielding medical frameworks and data from cyber assaults is imperative to ensuring uninterrupted patient care and averting disruptions in critical services. While instilling a sense of security consciousness is fundamental, fostering continued behavioral amendments through specialized programs tailored to distinct roles and obligations will fortify both institutional and patient welfare.”
To access the report titled Cyber Insecurity in Healthcare: The cost and impact on patient safety and care 2024, please navigate to: https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report
For additional insights into Proofpoint’s healthcare solutions, feel free to explore: https://www.proofpoint.com/healthcare
####
About Proofpoint, Inc.
Proofpoint, Inc. is a leading provider of cybersecurity and compliance services that safeguard organizations’ crucial assets and prime vulnerabilities: their personnel. Equipped with an amalgamated collection of cloud-based resolves, Proofpoint aids companies globally in halting targeted threats, shielding their data, and enhancing their users’ resilience against cyber assaults. A multitude of organizations, comprising 85% of the Fortune 100, entrust Proofpoint for security and compliance remedies with a people-centric focus, mitigating their most pivotal risks across email, the cloud, social media, and the internet. More information can be sourced via www.proofpoint.com.
Engage with Proofpoint: X | LinkedIn | Facebook | YouTube
About Author
