Nearly 90% of information technology professionals working in health care said their facilities suffered a cyberattack in the past year, according to a report out Thursday from the research organization Ponemon Institute.
Many of them said the attacks, which averaged 43 at various types of health care organizations including hospitals and insurance providers, increasingly affected patient care.
More than 600 IT and IT security practitioners responded to the survey sponsored by the cybersecurity firm Proofpoint. The report comes amid frequent warnings from federal cybersecurity officials about ransomware and other cyberattacks on health care organizations.
Fifty-three percent of the respondents said their organization had experienced at least one ransomware incident over the past two years, while a third said they’d suffered between two and five. Nine percent of respondents said their organizations suffered six to 10 incidents.
The findings mark an increase from a year ago when Ponemon conducted a similar survey commissioned by cybersecurity firm Censinet. That survey found that just over 40% of respondents suffered a ransomware attack in the previous year.
The data lines up with previous reporting that suggests ransomware is harming patient care. In 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency found that “patients did worse in hospitals navigating a cyberware attack than in hospitals that didn’t,” The Verge reported in August 2021.
Of the entities that reported having been hit by ransomware in the new survey, 67% reported a disruption in patient care, such as delays in procedures and tests, an increase in patients transferred or diverted to other facilities or longer lengths of stay.
Nearly a quarter of the entities that reported having been hit by ransomware reported an increased mortality rate, but it’s unclear what role ransomware played in the increased mortality rate.
“Correlation is very hard,” Larry Ponemon, chairman and founder of the Ponemon Institute, said Wednesday. Future research will seek to better understand “what’s really driving the underlying results,” he said. “The whole issue really needs fairly meaningful research.”
In September 2021, an Alabama woman sued a local hospital claiming that a ransomware attack on the hospital contributed to her baby’s death, the Wall Street Journal reported.
While it’s not clear which ransomware crew was behind that attack, Allan Liska, a senior intelligence analyst with cybersecurity firm Recorded Future, told the newspaper at the time it was likely the Russian-based Ryuk gang. That group was responsible for attacking at least 235 hospitals through June 2021.
Respondents to the Ponemon/Proofpoint survey who reported having suffered other types of cyberattacks — such as email compromise, supply chain attacks and cloud compromises — also reported increased mortality rates at roughly the same levels.
The survey reported some caveats with its data. The survey had a response rate of just 3.9%, and the accuracy of the job roles of the respondents is based on contact information. Additionally, just like any other survey, there’s the possibility the respondents provided inaccurate information.
The results surfaced some additional interesting findings, including that while 64% of the respondents were most concerned about medical device security, only 51% of those respondents’ organizations include them in their cybersecurity strategy.
“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” Ryan Witt, healthcare cybersecurity leader with Proofpoint, said in a statement. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients.”