Ransomware attacks persist in healthcare as impacts on patient safety rise
Patient safety has become the driving force behind ongoing healthcare cybersecurity risk framing and as a risk metric for evaluating connected vendors. While reporting gaps limit precise calculations of those impacts, stakeholders are actively working to change that.
Two new reports spotlight ongoing challenges facing healthcare through a patient safety lens, both in retrospect and in the year ahead: Fortified Health Security’s 2023 Horizon Report and Ponemon Institute report on the impact of ransomware on patient safety.
The Ponemon report reaffirms that the number of healthcare data breaches didn’t change significantly last year, but the severity of each breach has steadily worsened. SC Media previously reported that more than a dozen of the biggest incidents in 2022 each impacted well over 1 million records. The vast majority of these were attributed to hacking and IT incidents.
As noted by CEO Dan L. Dodson, the Fortified Health report stressed that healthcare’s risk of targeting by threat actors mirrors other sectors. But the impacts in the industry far outpace the risks facing other industries: “The inability, or limited ability, to care for patients because of a security incident pales in comparison to a small charge on a credit card, easily reversed once identified.”
“Unlike credit card fraud, patient access to healthcare isn’t something you can easily walk back,” Dodson wrote.
As the latest Ponemon Institute survey shows, the impact of ransomware attacks on patient care has remained one of the biggest risks and challenges facing the sector. Overall, the sector faced a number of ransomware attacks last year, many of which were caused by poor cybersecurity controls both internally and with their third-party vendors and products.
Nearly half of the respondents experienced a ransomware attack in the last two years, and 93% faced between one to five ransomware-related incidents. The outages spurred from these attacks have not improved and can last upwards of 35 days.
Of those entities that faced a ransomware incident, half of the attacks were caused by a third party. The data reaffirms ongoing reports on the continued vendor challenges plaguing the sector.
More than half of ransomware victims reported that the attacks led to disruptions in patient care, which were tied to complications with medical procedures. The biggest impact reported was an increase in the likelihood of reverting to care diversion after an attack.
During a 2021 House Energy & Commerce hearing, Christian Dameff, an emergency room physician at the University of California San Diego, testified that ransomware attacks not only disrupt patient care at the targeted site: neighboring hospitals face care disruptions due to the overflow of unexpected patients diverted from those impacted care sites.
The widespread outages at CommonSpirit Health last year led to similar results.
The report also showed nearly a quarter of respondents believe ransomware also adversely affects patient mortality rates. As demonstrated in a study published recently in JAMA, reporting gaps have led to missing data to solidly confirm mortality impacts after a ransomware attack.
But a lawsuit filed in 2021 alleges that a baby died in an Alabama hospital that was operating under downtime procedures after a ransomware attack, as the tech needed to detect the baby’s distress was offline. The case garnered national headlines and confirmed the need for greater insight into care morbidity impacts.
While the sector gained momentum in several positive ways last year in terms of proposed policies and new FDA authorities for medical device security, healthcare leaders should not wait for federal action to address these possible gaps to reduce the risk of care disruptions in the event of an inevitable attack.
Benchmarking and other possible remedies for cyber risk
SC Media recently spoke with several leading healthcare security leaders at the launch of the Health3PT initiative, which aims to address these ongoing resource challenges especially around third parties. The consensus is that it’s imperative to move the industry to a much higher level of competence and ensure connected partners are meeting security requirements.
“As technologies change, as our business needs change,” John Houston, UPMC CISO previously told SC Media. Working with vendors and other business partners with verified mature security programs in place can give organizations the confidence needed in working relationships.
Ponemon’s report reflected on the role of benchmarking in addressing these challenges. Cybersecurity peer benchmarking is defined as the comparison of an entity’s security performance and maturity against similar delivery organizations across key security program costs, productivity, and operational metrics and coverage of industry recognized security practices, such as NIST Cybersecurity Framework.
The model provides valuable insights into how healthcare resources should be allocated to reduce the risk of ransomware and its potential impacts on patient care.
Benchmarking was also ranked as important to making the business case for hiring cyber staff and investing in technologies to the board and for demonstrating cybersecurity framework coverage and compliance, improving cybersecurity programs, and decision making.
Sixty percent of respondents to the Ponemon report said they felt that benchmarks were valuable to understanding just how much of their budgets should be allocated to their cybersecurity programs by demonstrating cybersecurity program effectiveness.
However, about half of the respondents reported that “issues with data discourage organizations from benchmarking their cybersecurity programs.” In fact, 57% report not benchmarking their cybersecurity programs against their peers for data-related reasons.
Lastly, the report confirmed the importance of having policies and practices in place to proactively assess third-party risk, remediate identified security gaps, and quickly respond to and recover from a third party-driven ransomware attack.
For Fortified Health Security, healthcare organizations “must get granular with cybersecurity precautions if they want to stem the tide of breaches” in the coming year. That means focusing on the basics: strong passwords, multi-factor authentication (MFA), vulnerability management, frequent patching, and managing human risk through continuous workforce training.
The reports reaffirm that the threats facing healthcare have remained consistent, serving to heighten possible care disruptions in the wake of an incident. Transparency is needed, as well as willing investments into identifying pain points and strengthening processes where possible.