EXECUTIVE SUMMARY

Access the full PDF from the Contents menu at any time

EXECUTIVE SUMMARY

AN EFFECTIVE CYBERSECURITY APPROACH CENTERED AROUND STOPPING HUMAN-TARGETED ATTACKS IS CRUCIAL FOR HEALTHCARE INSTITUTIONS, NOT JUST TO PROTECT CONFIDENTIAL PATIENT DATA BUT ALSO TO ENSURE THE HIGHEST QUALITY OF MEDICAL CARE.

This third annual report was conducted to determine if the healthcare industry is making progress in reducing human-centric cybersecurity risks and disruptions to patient care.With sponsorship from Proofpoint, Ponemon Institute surveyed 648 IT and IT security practitioners in healthcare organizations who are responsible for participating in such cybersecurity strategies as setting IT cybersecurity priorities, managing budgets and selecting vendors and contractors.According to the research, 92 percent of organizations surveyed experienced at least one cyberattack in the past 12 months, an increase from 88 percent in 2023. For organizations in that group, the average number of cyberattacks was 40. We asked respondents to estimate the single most expensive cyberattack experienced in the past 12 months from a range of less than $10,000 to more than $25 million. Based on the responses, the average total cost for the most expensive cyberattack was $4,740,000, a 5 percent decrease over last year. This included all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.At an average cost of $1.47 million, disruption to normal healthcare operations because of system availability problems continues to be the most expensive consequence from the cyberattack, a 13 percent increase from an average $1.3 million in 2023. Users’ idle time and lost productivity because of downtime or system performance delays decreased from $1.1 million in 2023 to $995,484 in 2024. The cost of the time required to ensure the impact on patient care is corrected also decreased from an average of $1 million average in 2023 to $853,272 in 2024.

Ponemon Institute surveyed 648 IT and IT security practitioners in healthcare organizations. According to the research, 92 percent of organizations surveyed experienced at least one cyberattack in the past 12 months, an increase from 88 percent in 2023.

Want to read the full report?

Download full report

of organizations in this research had at least one cyberattack over the past 12 months

is the average total cost for the single most expensive cyberattack experienced over the past 12 months

in disruption to normal healthcare operations was on average the most significant financial consequence from the cyberattack

The report analyzes four types of cyberattacks and their impact on healthcare organizations, patient safety and patient care delivery:

CLOUD/ACCOUNT COMPROMISE

The most frequent attacks in healthcare are against the cloud, making it the top cybersecurity threat for the third consecutive year.

63% of respondents say their organizations are vulnerable or highly vulnerable to a cloud/account compromise. Sixty-nine percent say their organizations have experienced a cloud/account compromise. In the past two years, organizations in this group experienced an average of 20 cloud compromises.

SUPPLY CHAIN ATTACKS

Organizations are very or highly vulnerable to a supply chain attack, according to 60 percent of respondents.

68% say their organizations experienced an average of four attacks against its supply chain in the past two years. Sixty-eight percent say their organizations experienced an average of four attacks against its supply chain in the past two years.

RANSOMWARE

Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it have declined.

54% of respondents believe their organizations are vulnerable or highly vulnerable to a ransomware attack, a decline from 64 percent. In the past two years, organizations that had ransomware attacks (59 percent of respondents) experienced an average of four such attacks. While fewer organizations paid the ransom (36 percent in 2024 vs. 40 percent in 2023), the ransom paid spiked 10 percent to an average of $1,099,200 compared to $995,450 in the previous year.

BUSINESS EMAIL COMPROMISE (BEC) /SPOOFING/IMPERSONATION

Concerns about BEC/spoofing/impersonation attacks have decreased.

52% of respondents say their organizations are vulnerable or highly vulnerable to a BEC/spoofing/ impersonation incident, a decrease from 61 percent in 2023. Fifty-seven percent of respondents say their organizations experienced an average of four attacks in the past two years.

Want to read the full report?

Download full report

Nearly 70% of surveyed healthcare organizations report patient care disruptions from cyberattacks.

As in the previous report, an important part of the research is the connection between cyberattacks and patient safety. Among the organizations that experienced the four types of cyberattacks in the study, an average of 69 percent report disruption to patient care.Specifically, as shown in Table 1 below, an average of 56 percent report poor patient outcomes due to delays in procedures and tests, an average of 53 percent saw an increase in medical procedure complications and an average of 28 percent say patient mortality rates increased, a 21 percent spike over last year.

^{TABLE 1.}

Five ways that cyberattacks impact patient outcomes

CYBERATTACK	Ransomware	BEC	Supply Chain	Cloud/Account Compromise	2024 Average
POOR OUTCOMES: DELAY IN TESTS/ PROCEDURES	61%	69%	48%	44%	56%
INCREASE COMPLICATIONS FROM MEDICAL PROCEDURES	47%	57%	51%	56%	53%
LONGER LENGTH OF STAY	58%	52%	45%	52%	52%
INCREASE IN PATIENTS TRANSFERRED OR DIVERTED TO OTHER FACILITIES	52%	50%	38%	36%	44%
INCREASE IN MORTALITY RATE	29%	24%	26%	32%	28%

As in the previous report, an important part of the research is the connection between cyberattacks and patient safety.

The following are additional trends in how cyberattacks have affected patient safety and patient care delivery:

Supply chain attacks are most likely to affect patient care.

68% of respondents say their organizations had an attack against their supply chains. Of this group, 82 percent say it disrupted patient care, an increase from 77 percent in 2023. Patients were primarily impacted by an increase in complications from medical procedures (51 percent) and delays in procedures and tests that resulted in poor outcomes (48 percent).

BEC/spoofing/impersonation attack causes delays in procedures and tests.

57% of respondents say their organizations experienced a BEC/spoofing/impersonation incident. Of these respondents, 65 percent say a BEC/spoofing/impersonation attack disrupted patient care. Sixty-nine percent say the consequences caused delays in procedures and tests that have resulted in poor outcomes and 57 percent say it increased complications from medical procedures.

Ransomware attacks cause delays in patient care.

59% of respondents say their organizations experienced a ransomware attack. Of this group, 70 percent say ransomware attacks had a negative impact on patient care. Sixty-one percent say patient care was affected by delays in procedures and tests that resulted in poor outcomes and 58 percent say it resulted in longer lengths of stay, which affects organizations’ ability to care for patients.

Cloud/account compromises are least likely to disrupt patient care.

69% of respondents say their organizations experienced a cloud/account compromise. In this year’s study, 57 percent say the cloud/account compromises resulted in disruption in patient care operations, an increase from 49 percent in 2023. Fifty-six percent of respondents say cloud/account compromises increased complications from medical procedures and 52 percent say it resulted in a longer length of stay.

Data loss or exfiltration has had an impact on patient mortality.

92% of organizations had at least two data loss incidents involving sensitive and confidential healthcare data in the past two years. On average, organizations experienced 20 such incidents in the past two years. Fifty-one percent say the data loss or exfiltration resulted in a disruption in patient care. Of these respondents, 50 percent say it increased the mortality rate and 37 percent say it caused delays in procedures and tests that resulted in poor outcomes.

OTHER KEY TRENDS IN CYBER INSECURITY

CARELESS USERS WERE THE TOP CAUSE OF DATA LOSS AND EXFILTRATION

31%

say data loss or exfiltration was caused by
employees not following policies.

Accidental data loss is the second highest cause of data loss and exfiltration.

52%

are very concerned about employee
negligence or error.

CLOUD-BASED PRODUCTIVITY TOOLS ARE MOST OFTEN ATTACKED

61%

say text messaging was the most
attacked collaboration tool.

59%

say email was the second highest
attacked collaboration tool.

TOP 2 CHALLENGES TO HAVING AN EFFECTIVE CYBERSECURITY POSTURE

55%

say they lack in-house expertise.

49%

say they lack clear leadership,
up from 14% in 2023.

OTHER KEY TRENDS IN CYBER INSECURITY

BUDGETS INCREASED BECAUSE CYBER SAFETY IS PATIENT SAFETY

Concerns about budget decreased from

47% _^to 40%

$66M

Average annual budget for
IT increased, up 12% YoY.

19%

Percentage in IT budget dedicated
to information security.

SECURITY AWARENESS TRAINING PROGRAMS CONTINUE TO BE A PRIMARY
STEP TAKEN TO REDUCE INSIDER RISK

More organizations say they are taking steps to address the risk caused by employees.

71%

in 2024

VS

65%

in 2023

Of this group:

say they conduct regular training
and awareness programs.

say they monitor the
actions of employees.

OTHER KEY TRENDS IN CYBER INSECURITY

TOP 3 CYBERSECURITY TOOLS TO PROTECT AGAINST EMAIL-BASED ATTACKS

53%

anti-virus/anti-malware

52%

patch and vulnerability management

49%

multi-factor authentication

CONCERNS ABOUT INSECURE MOBILE APPS ROSE SIGNIFICANTLY

59%

are worried about the security risks created by insecure mobile apps (eHealth), up from 51% in 2023.

TRENDS FOR AI
IN HEALTHCARE

54%

say they have embedded AI in
cybersecurity and patient care.

57%

say AI is very effective in improving
organizations’ cybersecurity posture.

OTHER KEY TRENDS IN CYBER INSECURITY

USING AI FOR TIME, COST, AND PRODUCTIVITY

55%

say that AI-based security tools will increase productivity for IT security personnel.

48%

say AI simplifies patient care and administrators’ work by performing tasks in less time and cost than humans.

USING AI TO PROTECT AGAINST
EMAIL-BASED ATTACKS

36%

use AI and machine learning to
understand human behavior.

Of this group:

say understanding human behavior
to protect emails is very important.

OTHER KEY TRENDS IN CYBER INSECURITY

CHALLENGES TO ADOPTING AI

63%

agree safeguarding confidential and sensitive data used in organizations’ AI is difficult or very difficult.

32%

say there are errors and inaccuracies
in data inputs ingested by AI.

34%

believe there’s a shortage of mature
and/or stable AI tools.

32%

say interoperability issues among AI
technologies deter widespread acceptance.

Download full report