Many health care organizations lack resources to fend off cyberattacks

Even though health care organizations remain a major target of cyberattacks, many say they lack the resources and know-how to adequately protect themselves from hackers, according to results of a recent study.

Ponemon Institute, a security research firm, surveyed IT specialists at 641 health care organizations. Nearly 90% said their organization had experienced at least one cyberattack during the previous year, with the average being 43. At an average cost of $1.1 million, lost productivity was the major financial consequence of attacks. The average total cost for the most expensive cyberattack on each organization was $4.4 million, a total that includes direct cash outlays, labor expenses, overhead costs and lost business opportunities.

Despite the impact of these attacks, 53% of respondents said their organization lacked the in-house expertise, and 46% said they had insufficient staff to defend themselves effectively from cyberattacks.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources,” Larry Ponemon, founder and chair of the Ponemon Institute, said in an accompanying news release. “Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing.”

Most respondents also thought that technologies such as cloud, mobile, big data, and the Internet of Things, all of which are seeing increased adoption, increase the risks to patient data and safety, Ponemon added.

Among the study’s other findings:

• The biggest threat to patient safety and care delivery comes from ransomware attacks. Sixty-four percent of respondents in organizations that experienced such an attack said it resulted in delays in procedures and tests that caused worse outcomes for patients. In addition, 59% said the attack resulted in longer patient stays.
• Insecure medical devices and mobile apps are major cybersecurity vulnerabilities. Sixty-four percent of respondents said they are concerned about the security of medical devices such as pacemakers and infusion pumps, and 59 percent said they are concerned about insecure mobile apps. Even so, only 51% of respondents said preventing and responding to an attack on these devices was part of their cybersecurity strategy.
• Half of respondents said their organizations experienced an attack on their supply chain, with 70% of those saying the attack disrupted patient care.
• Training and awareness programs, along with employee monitoring, are organizations’ main defenses against cyberattacks. Sixty-three percent of respondents said their organizations conduct regular training and awareness programs, while 59% monitor employee actions.

The study, “Cyber Insecurity in Healthcare: The Cost And Impact On Patient Safety And Care” was sponsored by Proofpoint, Inc., a cybersecurity and compliance company.