- About one in four providers say their organizations saw an increase in mortality rates following a ransomware attack, according to a new survey from the Ponemon Institute.
- The study, sponsored by Boston-based health data security company Censinet, found the COVID-19 pandemic has resulted in less confidence among providers in mitigating the risks posed by ransomware. Of the health delivery organizations surveyed, 61% have been victims of ransomware attacks, and of those that have been hit, 33% have been hit more than once. Meanwhile, 61% of providers aren't confident in their ability to combat ransomware, up from 55% pre-COVID-19.
- Falling confidence is partially due to a sharp growth in third party ties, Ponemon found. Providers expect the number of third parties they contract with to grow at an annual rate of 30%, from 1,950 up to 2,541 in the next 12 months. Of the third parties, 43% have access to patients' personal health information, putting providers at higher risk of a breach or hack.
Hacks and data breaches always pose a threat to business operations or finances, but are particularly dangerous in healthcare, where they could potentially harm the quality of patient care. Cybersecurity experts have been warning that attacks using ransomware, a type of malware that encrypts a victim's files, rendering them inaccessible to their owner unless a ransom is paid to decrypt them, have been growing in the healthcare industry over the past few years without a corresponding increase in security measures.
And the pandemic has injected further volatility into the picture, as staffing challenges and increasing patient acuity are combining with new attack surfaces and infiltration points for bad actors with the rise of remote work, greater adoption of digital health tools and connected medical devices. The combination of these factors has created the "perfect cybersecurity storm," according to Ed Gaudet, Censinet's CEO.
However, tying ransomware attacks to a corresponding decline in care outcomes is tricky. This study of health delivery organizations is one of the first finding a direct impact on patient care down the line, and comes roughly a year after a patient died as a result of delayed care after University Hospital Düsseldorf in Germany was forced to turn them away from its emergency room after a ransomware attack — thought to be the first instance of death by ransomware.
Along with an increase in mortality, the survey of roughly 600 providers also found ransomware resulted in more complications from medical procedures, delays in procedures and tests resulting in poor outcomes, an increase in patients being transferred or diverted to other facilities and longer patient lengths of stay.
"Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers," said Larry Ponemon, founder of the Ponemon Institute, a research group.