Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Oct 12, 2023 More on Analytics

Patient care threatened by ever-increasing cyberattacks

The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year, new survey finds.

Jeff Lagasse, Editor

Photo: Al David Sacks/Getty Images

Patient care is under threat from cyberattacks, particularly supply chain and business email compromise (BEC) attacks, as more and more healthcare organizations are grappling with the cost and headache associated with them, finds a new survey on healthcare cybersecurity from Proofpoint and the Ponemon Institute.

The report, "Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023," found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain and BEC – an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications and 23% experienced increased patient mortality rates.

These numbers reflect last year's findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyberattacks on patient safety and wellbeing.

The report, which surveyed 653 healthcare IT and security practitioners, found that supply chain attacks are the type of threat most likely to affect patient care. Nearly two-thirds (64%) of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result – an increase from 70% in 2022.

BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).

WHAT'S THE IMPACT?

Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: Some 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year. 

The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year. But the average total cost for the highest ransom payment spiked 29% to $995,450.

All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data within the past two years: A total of 43% of respondents say a data loss or exfiltration incident impacted patient care. Of those, 46% experienced increased mortality rates, and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).

Concerns about supply chain attacks declined, despite these attacks significantly disrupting patient care. Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations' supply chains were attacked an average of four times, and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year's 70%.

Healthcare organizations feel most vulnerable to, and most concerned about, cloud compromise. Seventy-four percent of participants view their organization as most vulnerable to a cloud compromise, on par with last year's 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.

BEC/spoofing concerns increased significantly. The number of respondents concerned about BEC/spoofing jumped to 62% from last year's 46%. More than half (54%) of organizations experienced five of these types of incidents on average. Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.

Lastly, respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization's cybersecurity posture from being fully effective, and more organizations feel this challenge this year: Some 58% noted lack of expertise as a challenge, vs. 53% in 2022, and 50% identified insufficient staffing, vs. 46% last year.

THE LARGER TREND

More than three quarters (78%) of respondents to an August Claroty survey experienced a minimum of one cybersecurity incident over the last year, which impacted a broad range of asset types, including IT systems, sensitive data, medical devices and building management systems.

Alarmingly, more than 60% of respondents reported a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health or safety. The financial ramifications mainly fell in the $100,000–$1,000,000 range, with 26% paying ransoms.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.