Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023.
The report found that healthcare organizations experienced an average of 40 cyberattacks over the year. While many attacks were stopped before they could cause severe problems, 69% of respondents reported that at least one attack disrupted patient services. 56% reported negative patient experiences because of delays in operations and testing, 53% experienced complications in medical procedures, and 28% reported an increase in patient mortality rate.
It is very costly for healthcare organizations to suffer cyberattacks. Survey respondents detailed the financial impact of their most expensive attack, with the average total cost reaching $4.74 million, a 5% increase from last year. This figure includes direct expenses, labor costs, and lost business revenue, with losses ranging from $10,000 to over $25 million.
The biggest cost was attributed to system unavailability as a result of the attack. The cost averages $1.47 million, which increased by 13% from 2023. The second biggest cost was the idle time and lost productivity of users during system outages, averaging $995,484, a figure that is 9.5% less compared to last year. The third, correcting the negative impact on patient care, cost organizations $853,272, down by 15% from 2023.
Proofpoint published its 2024 report entitled Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. It discussed the most common attack types in the healthcare sector such as cloud compromise, business email compromise (BEC), ransomware attacks, and supply chain attacks. Supply chain attacks were particularly common, impacting 68% of surveyed healthcare organizations, with 82% of those attacks impacting patient care. 69% reported that BEC attacks often cause poor outcomes because of delays in medical procedures. 61% reported ransomware attacks to result in poor outcomes, 58% reported prolonged hospital stays and 52% reported needing patient transfers to other hospitals.
Healthcare organizations are less worried about ransomware now than they were in 2023. Only 54% feel vulnerable to such attacks compared to 64% last year. In the past two years, 59% of respondents reported experiencing a minimum of one ransomware attack, with an average of four attacks per organization. 36% of organizations gave a ransom payment compared to 40% the previous year. Cybercriminals have reacted to the drop in payments by raising ransom demands to $1,099,200, an average of 10% year-over-year.
More than 90% of healthcare organizations experienced data loss or data exfiltration in the last two years. Over half of respondents (51%) reported the impact of these incidents on patient care, while 50% reported increased mortality rates as a result. 37% said delays caused by these breaches led to poor medical outcomes.
Around 20% of data breaches were linked to employee actions, with the leading causes being failure to follow procedures (31%), accidental data loss (26%), and sending electronic Protected Health Information (ePHI) to the wrong recipients (21%). As a response, 71% of healthcare organizations have increased employee cybersecurity and HIPAA training efforts, though only 59% offer regular training programs.
This year’s report also examined the use of artificial intelligence (AI) and machine learning in healthcare cybersecurity. 28% of respondents stated they use AI for cybersecurity purposes, while 26% employ AI for both patient care and cybersecurity. Among those who have adopted AI, 67% believe it has improved their organization’s security.
Ryan Witt, chair of the Healthcare Customer Advisory Board at Proofpoint, emphasized the importance of prioritizing cybersecurity in healthcare. Cyber safety means patient safety, and protecting healthcare systems from cyber threats is necessary for the continuity of care and for avoiding disruptions to healthcare services.