Proofpoint, a leading cybersecurity and compliance company, and Ponemon Institute, an IT security research organisation, recently released the results of their third annual survey on the effects of cybersecurity in healthcare.
The report, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2024, found 92% of healthcare organisations surveyed experienced at least one cyberattack in the past 12 months – an increase from 88% in 2023 – with 69% reporting disruption to patient care as a result.
Among the organisations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain and business email compromise (BEC) – 56% reported poor patient outcomes due to delays in procedures and tests, 53% saw an increase in medical procedure complications and 28% say patient mortality rates increased – an increase of five percentage points over last year.
These findings indicate that healthcare organisations continue to struggle with mitigating the risks these attacks pose to patient safety and well-being.
The report, which surveyed 648 information technology and security practitioners in US healthcare organisations, found supply chain attacks are most likely to affect patient care.
More than two-thirds (68%) of respondents said their organisations had an attack against their supply chains, of which 82% said it disrupted patient care, an increase from 77% in 2023.
BEC leads the group of attacks most likely to result in poor outcomes due to delayed procedures and tests (69%), followed by ransomware (61%), which was also most likely to result in longer lengths of stay (58%) and increase in patients diverted or transferred to other facilities (52%).
“Our third annual report was conducted to determine if the healthcare industry is making progress in reducing human-centric cybersecurity risks and disruptions to patient care,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “For the third consecutive year, we found the four types of analysed attacks show a direct negative impact on patient safety and well-being.
“The good news, however, is the healthcare industry seems to increasingly recognise the importance cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT practitioners indicate that budget is a challenge in keeping their organisation’s cybersecurity posture from being fully effective,” added Ponemon.
Ryan Witt, Chair, Healthcare Customer Advisory Board at Proofpoint, said: “An effective cybersecurity approach centred around stopping human-targeted attacks is crucial for healthcare institutions, not just to protect confidential patient data but also to maintain the highest quality of medical care.
“This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyberattacks is critical to ensuring continuity in patient care and avoiding disruption of critical services. And while security awareness is foundational, driving sustained behaviour change through programmes tailored to specific roles and responsibilities will help support both organisational and patient safety,” Witt said.
Keiron Holyome, Vice President, AI Cyber Security, UKI & Emerging Markets, BlackBerry
To prevent attacks, healthcare organisations must ensure that cybersecurity protection covers every endpoint, from mobile devices to IoT-connected medical tools like ventilators or robotic surgery equipment. Many departments will be running outdated, possibly unsupported, technologies, some systems may run offline or with infrequent connectivity – everything requires the same high level of protection to defend against the daily onslaught of attacks. AI-based threat prevention is a must for rigorous security in this kind of complex environment as it allows organisations to detect and respond to potential threats in real-time, mitigating risks before they significantly impact patient care.
A lesser appreciated impact of cyberattacks is that normal communications channels are no longer available to alert, inform and advise all the different stakeholder groups. In such situations, a robust critical event management (CEM) system allows for fast and secure communication of a single source of truth to reassure and update staff, patients, management teams on temporary measures and steps to bring systems securely back online. Organisations equipped with this capability to alert at pace and deploy response teams quickly are better prepared to respond to – and recover from – critical events faster. This ensures healthcare services can resume with minimal disruption, preserving the quality of patient care essential during critical events.
The NHS’ current crackdown on staff using consumer messaging apps, like WhatsApp, is a positive move to safeguard sensitive communications and documents from bad actors and hostile nation-states that seek to bring down critical infrastructure. With this, individual NHS Trusts can take control into their own hands, with trusted tech solutions that offer collaborative user experience and defence-grade security, end-to-end encryption and protection inside and outside of their firewall.
Secure communication channels are essential for healthcare organisations to protect sensitive patient information. Leveraging encrypted messaging solutions alongside a robust CEM system can facilitate rapid and secure information sharing, enabling them to respond effectively to cyberthreats while maintaining quality patient care.
With an effective AI-powered defence and a secure out-of-band communications system, organisations can thwart threat actors from creating the disruption they seek. Fostering a security-first culture among healthcare staff can also reduce human errors that contribute to attacks. This layered approach fortifies technical systems and empowers workforces to be the first line of defence in safeguarding patient care.
Nadine Hoogerwerf, CISO, Zivver
According to a 2023 report by the UK Information Commissioner’s Office (ICO), approximately 90% of data breaches reported to the ICO in the UK were attributed to human error, such as misdirected emails, failure to use BCC in email and sending sensitive data to the wrong recipients. Human-targeted cyberattacks are designed to exploit this vulnerability in human behaviour rather than a technical weakness.
Cybercriminals will attempt to take advantage of employees by manipulating them into sharing sensitive information, making mistakes or bypassing security protocols. There is no way to stop criminals from enacting human-targeted attacks, but there are ways to make those attacks less likely to be effective.
Healthcare organisations can build organisational resilience by adopting a security-first culture. An organisation is only as secure as its weakest link and therefore requires all staff to commit to good cyber hygiene. This requires senior leadership to promote secure practices that address the risk of phishing, malware and social engineering through regular, role-specific training and awareness programmes. Developing a robust cybersecurity approach that mitigates human-targeted attacks also involves addressing vulnerabilities with tools that enable employees to avoid common errors without complicating workflows and harming productivity.
With ransomware having such a destructive impact on healthcare organisations, even leading to the cancellation of operations earlier this year in multiple London hospitals, it is similarly important that organisations embrace some form of inbound email threat detection software to block phishing, malware and spoofing attempts before they reach employees or patients.
Limiting access to sensitive data through role-based access controls and the principle of least privilege is another effective strategy for addressing human-targeted attacks. This is also beneficial for achieving regulatory compliance with GDPR and HIPAA and reduces the risk of data being misused by ensuring fewer staff have access to confidential patient information.
Multi-Factor Authentication (MFA) is another minimally disruptive tool that requires staff and patients to undergo two or more verification factors before gaining access to valuable sensitive information. This means that if a password becomes compromised, there is another line of defence for cybercriminals to overcome.
Finally, implementing data loss prevention (DLP) policies is a great way to minimise human error. DLP is a cybersecurity strategy designed to prevent the unintentional sharing of sensitive information. It ensures data is protected in transit and at rest, preventing unauthorised access through encryption, access controls and real-time alerts.
By embracing security strategies as part of everyday workflows and outsourcing security to technical tools, medical staff can prioritise patient care without compromising patient privacy.
David Rajkovic, Managing Director A/NZ, Rubrik
Time and again, cybersecurity reports find healthcare organisations are among the hardest hit. For example, this year’s Annual Cyber Threat Report from the Australian Signals Directorate, found the healthcare sector reported more incidents than any other industry (excluding government sectors with more stringent reporting requirements).
In fact, recent research from Rubrik Zero Labs found healthcare organisations observed by Rubrik experienced 50% more encryption events than the global average, all while the amount of their sensitive data records grew more than 5x the global average.
This explosion of sensitive data can explain why healthcare is so heavily targeted. When it comes to financially motivated attacks, sensitive data can be seen as a goldmine – particularly health records. Attackers assume a hospital or medical service would be willing to negotiate the return of such records given the private information.
The other side of the issue that puts healthcare in the sights of attackers is the lifesaving work they do. Should an encryption event disrupt a hospital’s ability to provide care, attack groups believe the hospital’s management would be more likely to give in to ransom demands.
A cybersecurity approach that minimises the impact of these attacks while ensuring high-quality care comes down to ensuring one thing – continuity of care. This means rapidly recovering and restarting services within minutes or hours, certainly not days or weeks, following an attack.
As recent incidents show, it’s clear perimeter defences alone are no longer enough. Cyber-resilience strategies need to be prioritised as a matter of urgency. This requires adopting an ‘assumed breach mindset’ and planning ahead for the inevitable day when attackers breach defences. Doing so can allow an organisation to rapidly identify exactly what data has been taken, which customers have been impacted and the most recent clean recovery point to accelerate remediation efforts.
Consider the experience of St Luke’s University Health Network, a non-profit healthcare provider in the US that cares for more than 80,000 patients and 340,000 ER visits every year. After running cyberattack simulations, St Luke’s discovered it would take months to recover and cost millions of dollars if they were hit with ransomware – not to mention the severe impact on patient care.
To overcome this risk, the network pursued a strategy of cyber-resilience. Its strategy involved transforming its data backups to be immutable and rapidly recoverable following an attack. It also gained the ability to scan backups to detect anomalies and hunt for threats. By doing so, St Luke’s can recover operations within minutes or hours instead of months. This approach ensures continuity of care by prioritising cyber-resilience.
While everything needs to be done to stop attacks before they happen, it is equally important to ensure a rapid recovery after a successful attack.
Mark Jow, Technical Evangelist EMEA at Gigamon
The UK healthcare sector is under siege. With so much at stake for healthcare organisations, from the stewardship of sensitive data to the ongoing expectation of always providing critical care, the healthcare industry is a prime target for cyberthreat actors. Across organisations, people often represent the weakest link in security. As such, cybercriminals regularly attempt to bypass network security measures by deceiving employees through social engineering tactics such as phishing and fake logins. The rise and widespread accessibility of advanced AI has also led to a rise in deepfake attacks – whether video, audio, textual or real-time/live – and there is no sign of this abating. Recent findings supported the emergence of this concerning trend, with 41% of respondents to a recent survey claiming to have witnessed a surge in AI-fueled attacks in the past year alone.
Security teams are therefore tasked with reducing this human targeted risk, however, employees are often granted excessive trust within healthcare networks, which means that threat actors don’t need to find a backdoor; they simply exploit the front door provided by people. This is where multi-factor authentication (MFA) is crucial. Healthcare organisations must implement robust MFA policies to ensure that access is only granted to those who have cleared a thorough verification process. This way, if threat actors manage to obtain an employee’s credentials, MFA acts as a safety net, preventing unauthorised access at the network’s entry point and stopping the attack in its tracks.
Once an attacker gains access to an organisation’s network, the chances of them being detected decreases considerably as we saw in the case of Change Healthcare where attackers loitered within systems for over a week before deploying ransomware. These attacks, often referred to as ‘Living-off-the-land’ attacks, are becoming more frequent due to organisations lacking the visibility necessary to detect lateral movement on their networks. This prompted the NSCS to issue a warning about the increasing prevalence of this tactic. By laying low in a compromised network, attackers can bide their time, only exfiltrating data once they’ve found all they need to maximise disruption, typically by targeting the most damaging and sensitive data available.
Only by achieving comprehensive and real-time network visibility, with properly segmented networks and MFA controls at every access point, can healthcare organsations detect and deter covert threat actors. Without these vital security measures in place, the persistent assurance of high-quality patient care remains a distant reality as the prospect of a devastating attack hangs in the balance.
