Healthcare cybersecurity: implications for patient care.
By Tim Nodar, CyberWire senior staff writer
Oct 13, 2023

Patients are just collateral damage to cyber criminals.

Healthcare cybersecurity: implications for patient care.

A Ponemon Institute survey commissioned by Proofpoint looked at the consequences of cyberattacks against healthcare organizations. Such attacks are both a business risk and a threat to patient care and patient privacy.

Healthcare organizations are frequently targeted.

The study found that 88% of healthcare organizations sustained an average of forty cyberattacks over the past twelve months, with the average total cost of successful attacks reaching $4.9 million. Losses included “all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities.” The most expensive consequence of these attacks was “disruption to normal healthcare operations because of system availability,” causing an average of $1.3 million in losses.

Effects on patient care.

Notably, 77% of respondents said supply chain attacks had an impact on patient care: “Patients were primarily impacted by delays in procedures and tests that resulted in poor outcomes such as an increase in the severity of an illness (50 percent) and a longer length of stay (48 percent). Twenty-one percent say there was an increase in mortality rate.”

And a threat to patient privacy.

100% of the surveyed organizations had at least one incident in which sensitive healthcare data were lost or stolen: “ On average, organizations experienced 19 such incidents in the past two years and 43 percent of respondents say they impacted patient care. Of these respondents, 46 percent say it increased the mortality rate and 38 percent say it increased complications from medical procedures.”

Motive and opportunity for cybercrime against healthcare organizations.

Industry experts agreed that the healthcare sector holds valuable data, which gives criminals motive. And healthcare security teams are often overmatched, which gives criminals opportunity. 

Ted Miracco, CEO of Approov Mobile Security, wrote that “The challenges faced by healthcare organizations in addressing cybersecurity include a lack of cybersecurity expertise and insufficient budget and staffing. These challenges need to be addressed to ensure effective security measures are in place, especially in the critical areas of mobile app and API vulnerabilities and the persistent phishing and business email compromise (BEC) attacks. With the average cost of a cyber attack reaching almost $5 million, it makes sense for these organizations to invest ahead of the attack versus spending money to remediate after the patient data has been exfiltrated and other damage has been done.”

Emily Phelps, Director at Cyware, sees healthcare data as a perennial draw for hackers. “Healthcare is a consistently attractive target for threat actors because of the valuable data they collect and store. Adversaries far outnumber available cybersecurity pros so to mitigate the risks, healthcare organizations must leverage automation tools that enable lean security teams to efficiently address threats; employees should have regular security awareness training so they are prepared to recognize and avoid common threat tactics; and organizations should consider partnering with security providers that can offer expertise that is difficult to source and retain internally.”

Jan Lovmand, CTO of BullWall, also wrote to describe the way motive and opportunity intersect in the healthcare sector. “Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable,” Lovmand wrote. “This is compounded by their limited resources to invest in cybersecurity measures. But with ransomware continuing to be a significant threat to these organizations, investments must be made to contain these attacks, eliminating the need to resort to a complete shutdown of IT systems, and healthcare services.”