Cybersecurity budgets are increasing – but attack disruptions are too

Most health systems experienced a cyberattack in the last year, the new Ponemon Institute report shows, with 69% of victims citing poor patient outcomes. Business-email compromise and ransomware were reported to be the biggest culprits in care impacts.
By Andrea Fox
09:37 AM

Photo: Pexels/John Guccione

In its third year, healthcare cybersecurity research conducted by Ponemon Institute and Proofpoint aimed to determine whether the healthcare industry saw progress in maintaining care delivery in the face of four types of pervasive cyberattacks – cloud compromise, supply chain, ransomware and business-email compromise.

While respondents found that attacks had a direct negative impact on patient safety, fewer said that they did not have enough budget to improve cybersecurity posture, representing a 7% decrease in that metric from last year's results. However, the number citing a lack of security leadership increased significantly since 2023 – from 14% to 49%.

"The good news, however, is the healthcare industry seems to increasingly recognize the importance cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT practitioners indicate that budget is a challenge in keeping their organization’s cybersecurity posture from being fully effective," said Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.

The average annual budget is up 12% year-over-year, and IT budgets have increased to an average of $66 million, according to the report.

WHY IT MATTERS

For the new report, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024, researchers surveyed 648 IT and IT security professionals at U.S. healthcare organizations and found that 92% experienced at least one cyberattack in the past 12 months, up from 88% in the previous year.

The average number of cyberattacks that organizations said they experienced was 40. When asked to estimate the single most expensive cyberattack in the last 12 months, the average total cost was more than $4.7 million – a 5% decrease from last year.

Most healthcare organizations that experienced business-email compromise (69%) and ransomware (61%) reported delays in procedures and tests, the researchers said. Longer lengths of stays, increased complications, patient diversions and increases in mortality rates were also cited as major impacts across all types of cyberattacks analyzed. 

In terms of supply chain attacks, 68% of respondents said their organizations experienced at least one, and 82% of those organizations reported patient-care disruptions, up 5% over last year. 

Of note, respondents' concerns over insecure mobile apps have increased to 59%, up from 51% in 2023, falling behind insecure medical devices (64%) and ahead of cloud compromises (57%) and employee errors (58%).

For the 36% of respondents that said their organizations paid ransomware – 7% fewer this year than last year – payouts spiked 10%, to an average of $1.1 million. Last year's study found that ransomware's most prevalent impact on life was an increase in the number of patients transferred or diverted to other facilities, reported by 70% of those surveyed, up from 65% in 2022. 

For this year's study, researchers looked at the impact of artificial intelligence for the first time. More than half (54%) of respondents said their organizations have embedded AI in cybersecurity (28%), and 57% said AI is very effective in improving organizations’ cybersecurity posture.

THE LARGER TREND

When the institute found a link between ransomware and increased patient mortality in 2021, many healthcare leaders called it an urgent wake-up call for the industry to transform its cybersecurity and third-party-risk programs.

Data loss and exfiltration are still having an impact on patient mortality and continue to be an issue. Some 92% of the institute's respondents this year said that they had at least two sensitive data-loss incidents over the last two years. More than half of those (51%) said there were patient care disruptions that increased their organizations' mortality rates.

Last year, the institute looked at benchmarking factors in risk-mitigation resourcing, like staffing investments in growing third-party-risk oversight and funding for new cyber preparedness technologies. By November, providers reported significant IT budget increases for 2024.

ON THE RECORD

"By far, in the past two years the most cyberattacks involved cloud-based user accounts," said Ponemon researchers. "Text messaging and email were the two most attacked cloud-based user accounts/collaboration tools."

"An effective cybersecurity approach centered around stopping human-targeted attacks is crucial for healthcare institutions, not just to protect confidential patient data but also to maintain the highest quality of medical care," said Ryan Witt, chair of the Healthcare Customer Advisory Board at Proofpoint, in a statement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.