A surgeon returned to her workstation after seven hours of surgery to write notes for the team caring for her patient. But as soon as she logged in the connection was lost and an error message appeared. The hospital had been hit with ransomware three hours earlier and its EHR systems were down. The IT department was working to bring everything back online while the surgeon looked for pen and paper to record notes and patient care instructions.
We have known for a long time that cybersecurity risks are expensive. The dollar cost of healthcare data breaches is well-documented. However, a new study focuses on the damage to patient care and safety caused by cybersecurity issues. Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care from Ponemon Institute was commissioned by security firm Proofpoint, Inc. The study resulted from surveys conducted with 641 IT and IT security professionals in the healthcare sector.
The study reveals that:
- 89% of the surveyed organizations experienced an average of 43 attacks in the past 12 months, nearly one per week.
- More than 20% of the organizations suffering the four most common types of attacks – cloud compromise, ransomware, supply chain attacks, and business email compromise (BEC)/spoofing phishing – experienced increased patient mortality rates.
- The average total cost for the most expensive cyberattack experienced was $4.4 million. This included all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.
- At an average cost of $1.1 million, lost productivity was the most significant financial consequence from the cyberattack.
- However, despite the connection between cyberattacks and patient safety, the least amount of cost following a cyberattack was the time required to ensure the impact on patient care was corrected, valued at $664,350.
- The insecure Internet of Medical Things (IoMT) is a top concern. Healthcare organizations have an average of more than 26,000 network-connected devices. While 64% of respondents are concerned about medical device security, only 51% include them in their cybersecurity strategy.
Patient Safety is a Concern
While correlation and causation are difficult to determine with certainty, the survey respondents with day-to-day experience in healthcare reported that cyberattacks have tangible impacts on patient care.
For example, when asked how a ransomware attack impacted patient safety and care delivery within their organizations, 64 percent of respondents reported delays in procedures and tests.
Additionally, 24 percent of respondents reported an increase in mortality rates, and 59 percent said that it resulted in longer stays. Half of respondents said that there was an increase in patients transferred to other facilities.
After ransomware, the top risk affecting patient safety in the eyes of the respondents is business email compromise, through phishing and spoofing.
In addition to delays in procedures and tests, other common patient safety issues reported by the respondents are longer lengths of stay and an increase in complications from medical procedures.
Challenges Faced by Healthcare IT Security Teams
A lack of resources is a common concern among the respondents. More than half noted a lack of in-house expertise as a top challenge to cybersecurity preparedness, and half noted a lack of collaboration with other functions in the organization.
Nearly half of respondents said that their organizations did not have enough staff, with many of them reporting that budgets are a problem. Alarmingly, 40 percent of respondents said that cybersecurity was not considered a priority within their organizations, and 35 percent said that their organizations did not have an understanding of how to protect against cyberattacks.
As noted by Ryan Witt, healthcare cybersecurity leader at Proofpoint:
“As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”
HIPAA Risk Management Changes Everything
Quality healthcare, including patient care and safety, is at the heart of HIPAA.
Cybersecurity guidance is available and easy to follow in The HIPAA E-Tool® . The HIPAA Security Rule is the best blueprint to defend against cyber crime. Conducting a thorough HIPAA Risk Analysis and completing the Security Rule Checklist (your security risk assessment) are the most concrete and dependable ways to reduce cybersecurity risks and maintain patient care and safety.