In its third yr, healthcare cybersecurity analysis performed by Ponemon Institute and Proofpoint aimed to find out whether or not the healthcare trade noticed progress in sustaining care supply within the face of 4 varieties of pervasive cyber assaults – cloud compromise, provide chain, ransomware and business-email compromise.
Whereas respondents discovered that assaults had a direct unfavorable influence on affected person security, fewer mentioned that they didn’t have sufficient finances to enhance cybersecurity posture, representing a 7% lower in that metric from final yr’s outcomes. Nevertheless, the quantity citing an absence of safety management elevated considerably since 2023 – from 14% to 49%.
“The excellent news, nevertheless, is the healthcare trade appears to more and more acknowledge the significance cybersecurity performs in affected person outcomes; on common, IT budgets have elevated, and fewer IT practitioners point out that finances is a problem in protecting their group’s cybersecurity posture from being totally efficient,” mentioned Larry Ponemon, chairman and founding father of the Ponemon Institute, mentioned in an announcement.
The typical annual finances is up 12% year-over-year, and IT budgets have elevated to a median of $66 million, in keeping with the report.
WHY IT MATTERS
For the brand new report, Cyber Insecurity in Healthcare: The Price and Influence on Affected person Security and Care 2024, researchers surveyed 648 IT and IT safety professionals at U.S. healthcare organizations and located that 92% skilled no less than one cyberattack prior to now 12 months, up from 88% within the earlier yr.
The typical variety of cyberattacks that organizations mentioned they skilled was 40. When requested to estimate the only costliest cyberattack within the final 12 months, the common whole value was greater than $4.7 million – a 5% lower from final yr.
Most healthcare organizations that skilled business-email compromise (69%) and ransomware (61%) reported delays in procedures and assessments, the researchers mentioned. Longer lengths of stays, elevated issues, affected person diversions and will increase in mortality charges have been additionally cited as main impacts throughout all varieties of cyberattacks analyzed.
When it comes to provide chain assaults, 68% of respondents mentioned their organizations skilled no less than one, and 82% of these organizations reported patient-care disruptions, up 5% over final yr.
Of be aware, respondents’ considerations over insecure cell apps have elevated to 59%, up from 51% in 2023, falling behind insecure medical gadgets (64%) and forward of cloud compromises (57%) and worker errors (58%).
For the 36% of respondents that mentioned their organizations paid ransomware – 7% fewer this yr than final yr – payouts spiked 10%, to a median of $1.1 million. Final yr’s research discovered that ransomware’s most prevalent influence on life was a rise within the variety of sufferers transferred or diverted to different amenities, reported by 70% of these surveyed, up from 65% in 2022.
For this yr’s research, researchers appeared on the influence of synthetic intelligence for the primary time. Greater than half (54%) of respondents mentioned their organizations have embedded AI in cybersecurity (28%), and 57% mentioned AI could be very efficient in enhancing organizations’ cybersecurity posture.
THE LARGER TREND
When the institute discovered a hyperlink between ransomware and elevated affected person mortality in 2021, many healthcare leaders referred to as it an pressing wake-up name for the trade to rework its cybersecurity and third-party-risk packages.
Knowledge loss and exfiltration are nonetheless having an influence on affected person mortality and proceed to be a difficulty. Some 92% of the institute’s respondents this yr mentioned that they’d no less than two delicate data-loss incidents over the past two years. Greater than half of these (51%) mentioned there have been affected person care disruptions that elevated their organizations’ mortality charges.
Final yr, the institute checked out benchmarking elements in risk-mitigation resourcing, like staffing investments in rising third-party-risk oversight and funding for brand spanking new cyber preparedness applied sciences. By November, suppliers reported vital IT finances will increase for 2024.
ON THE RECORD
“By far, prior to now two years probably the most cyberattacks concerned cloud-based person accounts,” mentioned Ponemon researchers. “Textual content messaging and electronic mail have been the 2 most attacked cloud-based person accounts/collaboration instruments.”
“An efficient cybersecurity strategy centered round stopping human-targeted assaults is essential for healthcare establishments, not simply to guard confidential affected person knowledge but in addition to take care of the very best high quality of medical care,” mentioned Ryan Witt, chair of the Healthcare Buyer Advisory Board at Proofpoint, in an announcement.
Andrea Fox is senior editor of Healthcare IT Information.
Electronic mail: [email protected]
Healthcare IT Information is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Discussion board is scheduled to happen October 31-November 1 in Washington, D.C. Study extra and register.