Supply chain and business email compromise (BEC) attacks against healthcare organizations are among the leading threats to patients’ care and outcomes, according to a new survey report from cybersecurity firm Proofpoint and IT security research group Ponemon Institute.
When asked to describe the impact of four leading types of cybersecurity attacks, two-thirds of the report’s 653 polled industry professionals said their organization had suffered a supply chain attack in the past two years. That group faced an average of four such attacks and 77% said the attack on their supply chain led to a disruption in patient care—up from 70% in 2022 and a generally higher rate of disruption than other types of cybersecurity attacks.
Business email compromise attacks, such as spoofing or phishing, were less prevalent with 54% of respondents reporting an average of five of these attacks within the last two years. However, respondents said that the BEC attacks had led to poor patient outcomes due to delayed procedures (71%), medical procedure complications (56%) and longer lengths of stay (55%) than they did for other attack types.
The other two types of attacks explored in the survey, ransomware and cloud network compromises, were also reported to have driven worsened care to a lesser, but still substantial, extent.
“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care,” Ryan Witt, chair of Proofpoint’s Healthcare Customer Advisory Board, said in a release. “I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause.”
The groups’ report found that 88% of responding organizations had at least one cyberattack within the past 12 months. Respondents among those 88% outlined an average of 40 cyberattacks, whereas all organizations reported having at least one incident where sensitive healthcare information was lost or stolen.
The report also outlined a contrasting trend regarding ransomware attacks—though the percentage of those surveyed reporting a recent ransomware attack rose from last year’s 41% to this year’s 54%, the portion of respondents citing the high-profile attacks as a top concern dropped from 60% to 48%. Fewer respondents reported making a ransom payment in this year’s survey (51% to 40%).
Cloud compromises, meanwhile, appear to be front of mind for healthcare organizations’ security leaders. Seventy-four percent of respondents said their organizations were vulnerable to these attacks. The percentage who said they were concerned about cloud compromises rose from 57% to 63%, marking these attacks as the highest attack type of concern for the survey’s respondents.
“For the second consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a release. “Our findings also show that more IT and security professionals view their organization as vulnerable to each type of attack, compared to 2022. These attacks are also putting an even greater strain on resources than last year—costing on average 13% more overall and 58% more in the time required to ensure the impact on patient care was corrected.”
More specifically, the survey responses outlined a $4.99 million average total cost of healthcare cyberattacks (inclusive of direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities). The organizations’ most expensive attack within the last 12 months ranging from less than $10,000 to over $25 million, while losses specifically tied to operations disruptions rising from last year’s $1 million average to $1.3 million.
Proofpoint and Ponemon’s survey was fielded in March to more than 17,000 IT and IT security practitioners in the healthcare industry, of which 653 were returned and used. The groups warned that their relatively low, 3.8% response rate and other methodology choices, such as self-reported results and web-based collection, may have introduced some biases.
The upward price tag movement echoes the findings of a separate cross-industry Ponemon report released earlier this year by IBM Security. That analysis found that the money lost due to data breaches was highest within the healthcare organizations, where it had increased from 2022’s $10.10 million to $10.93 million among the report’s sample.