Direct line between hospital cyberattacks and patient mortality, report shows

A new cybersecurity report this week had some sobering statistics illustrating just how commonplace network attacks have become across healthcare.


The survey, which polled more than 640 IT and security leaders, found that 89% of the surveyed organizations experienced an average of 43 attacks over the past year – averaging almost an attack each week.

Worse, the Ponemon Institute study, sponsored by Proofpoint, also found that cyber incursions are now routinely impacting patient safety at U.S. hospitals and health systems.

The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” showed respondents saying cyberattacks are routinely delaying procedures and tests – with 57% saying that results in poor patient outcomes and 50% citing increased complications from medical procedures.

Perhaps the most alarming stat was this one: of those health systems experiencing the four most common types of cyberattacks, 20% said they have subsequently experienced increased patient mortality rates.

Ponemon defines the four most common exploits as ransomware, cloud compromise, supply chain disruption and phishing.

Unsurprisingly, the attack type most likely to adversely affect care delivery is ransomware, with attacks commonly leading to procedure or test delays (64% of respondents) and longer patient stays (59%).

Nearly three-quarters (72%) of those surveyed said organizations are vulnerable to a ransomware attack, and 60% said it was a top concern, with a similar percentage reporting  efforts to improve prevention and response.

As for cloud compromise, more than half (54%) of respondents said their organizations had experienced at least one incident in the past two years. Of that group, organizations experienced an average of 22 such compromises in the past two years. Some 63% said they’d taken steps to prepare for and respond to these attacks.

But while 71% of participants said they felt vulnerable to supply chain attacks – and 64% felt at risk to business email compromise and spoofing phishing – just 44% and 48%, respectively, have a documented response plan for those risks.

The report highlights ongoing concerns with IoT, as well, with hospitals and health systems deploying an average of more than 26,000 network-connected devices. But while 64% of respondents said they’re concerned about device security, just 51% include them in their cybersecurity strategy, according to the study.

(Those connected medical device statistics echo similar figures in another recent report put together by the Ponemon Institute.)

Some other stats from the report:

  • 63% respondents conduct regular training and awareness programs for employees 

  • 59% monitoring their employees actions and technology use

  • 53% of respondents said a lack of in-house cybersecurity expertise is a challenge

  • 46% said they lack sufficient staffing in general, impacting their cybersecurity readiness

This despite the fact that, beyond the risk to patient safety, there are significant financial stakes. The most healthcare expensive cyberattack cost an average of $4.4 million in the past 12 months, according to the study, including $1.1 million of productivity loss.

IT and infosec leaders from major U.S. health systems recognize the stakes. At HIMSS22 this past March, chief information security officers discussed the patient safety risks of this fraught threat landscape.

“We have moved beyond data: It’s not just about privacy and confidentiality anymore,” said Erik Decker, CISO at Intermountain Healthcare. “Cybersecurity is patient safety. Downtime means delay of care, and delay of care means patient safety. That is our charge.”

That’s been the case for some time now. But as this report shows – and recent real-world instances of patient fatalities linked to ransomware attacks emphasize – the risks have only increased for hospitals’ safety and security.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing.”

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader at Proofpoint, in a statement.

“As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients,” he added. “To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

Twitter: @MikeMiliardHITN
Email the writer: [email protected]

Healthcare IT News is a HIMSS publication.