92% of healthcare organizations experienced at least one cyber attack in the past 12 months, an increase from 88% in 2023, with 69% reporting disruption to patient care as a result, according to Proofpoint.
Healthcare organizations struggle to mitigate risks from cyberattacks
Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain, and business email compromise (BEC) – 56% reported poor patient outcomes due to delays in procedures and tests, 53% saw an increase in medical procedure complications, and 28% say patient mortality rates increased—an increase of five percentage points over last year. These findings indicate that healthcare organizations continue to struggle with mitigating the risks these attacks pose to patient safety and well-being.
The report, which surveyed 648 information technology and security practitioners in United States healthcare organizations, found that supply chain attacks are most likely to affect patient care. 68% of respondents said their organizations had an attack against their supply chains, of which 82% said it disrupted patient care, an increase from 77% in 2023.
BEC leads the group of attacks most likely to result in poor outcomes due to delayed procedures and tests (69%), followed by ransomware (61%), which was also most likely to result in longer lengths of stay (58%) and increase in patients diverted or transferred to other facilities (52%).
“Our third annual report was conducted to determine if the healthcare industry is making progress in reducing human-centric cybersecurity risks and disruptions to patient care,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
“For the third consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing. The good news, however, is the healthcare industry seems to increasingly recognize the importance cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT practitioners indicate that budget is a challenge in keeping their organization’s cybersecurity posture from being fully effective,” added Ponemon.
Top cybersecurity threat in healthcare
54% of respondents believe their organizations are vulnerable or highly vulnerable to a ransomware attack, a decline from 64% in 2023. Organizations that had ransomware attacks (59% of respondents) experienced an average of four such attacks over the past two years. While fewer organizations paid the ransom (36% in 2024 vs. 40% in 2023), the ransom paid spiked 10% to an average of $1,099,200 compared to $995,450 in the previous year.
Concerns about insecure mobile apps (eHealth) have increased to become the top cybersecurity threat in healthcare, increasing from 51% in 2023 to 59% of respondents in 2024. Cloud/account compromise was the second biggest concern (55%), and text messaging was the most attacked collaboration tool (61%) followed by email (59%). Organizations are less worried about employee-owned mobile devices or BYOD.
More than nine in ten organizations surveyed had at least two data loss or exfiltration incidents involving sensitive and confidential data within the past two years. 51% said a data loss or exfiltration incident impacted patient care; of those, 50% experienced increased mortality rates and 37% saw delays in procedures and tests that resulted in poor outcomes.
Over the past two years, organizations experienced an average of 20 such incidents with employees as the primary root cause. Employee negligence because of not following policies (31%), accidental data loss (26%) and employees sending PII and PHI to an unintended recipient via email (21%) were top three.
The lack of clear leadership is a growing problem
While 55% of respondents say their organizations’ lack of in-house expertise is a primary deterrent to achieving a strong cybersecurity posture, the lack of clear leadership as a challenge increased significantly since 2023 from 14% to 49% of respondents. Not having enough budget decreased from 47% to 40% of respondents in 2024.
Negligent employees pose a significant risk to healthcare organizations. While more organizations (71% in 2024 vs. 65% of respondents in 2023) are taking steps to address the risk of employees’ lack of awareness about cybersecurity threats, are they effective in reducing the risks? Nearly three in five respondents (59%) indicate they conduct regular training and awareness programs.
For the first time, the impact AI is having on security and patient care was studied. 54% of respondents say their organizations have embedded AI in cybersecurity (28%) or embedded it in both cybersecurity and patient care (26%). 57% of these respondents say AI is very effective in improving organizations’ cybersecurity posture, and 36% use AI and machine learning to understand human behavior.
“An effective cybersecurity approach centered around stopping human-targeted attacks is crucial for healthcare institutions, not just to protect confidential patient data but also to maintain the highest quality of medical care,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint.
“This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyber attacks is critical to ensuring continuity in patient care and avoiding disruption of critical services. And while security awareness is foundational, driving sustained behavior change through programs tailored to specific roles and responsibilities will help support both organizational and patient safety,” concluded Witt.