88% of Hospitals and Other Health Care Organizations Faced Cyberattacks Last Year

Hospitals, clinics and other health care organizations are facing a barrage of cyberattacks and struggling to provide normal services amid computer outages and loss of important files, according to newly published research by Proofpoint, an email security firm.

Nearly 90% of health care organizations have experienced at least one cyberattack in the past year, Proofpoint said in a report published on Wednesday. In the past two years, more than half of organizations reported suffering an average of four ransomware attacks, and 68% of those respondents said the attacks “negatively impacted patient safety and care.”

Proofpoint’s report, based on surveys of more than 650 IT and cybersecurity experts at U.S. health care organizations, contains a host of worrisome findings that underscore the health care sector’s continuing vulnerability to basic attack techniques. It comes as the Cybersecurity and Infrastructure Security Agency tries to direct more aid to small, rural and underfunded hospitals that are buckling under relentless cyberattacks.

These campaigns are increasingly draining health care organizations’ resources as they scramble to find workarounds to their traditional technology and continue providing services. The cost of the time spent mitigating the attacks’ effects on patient care increased 50% between 2022 and 2023, going from roughly $660,000 to $1 million.

When a ransomware attack shuts down a hospital’s computer network, the effects are immediate and wide-ranging. At a congressional hearing in September, Stephen Leffler, the president and chief operating officer of the University of Vermont Medical Center, described how an October 2020 ransomware attack plunged his facility into crisis. Older doctors had to teach younger physicians how to work with paper records for 28 days while National Guard personnel helped the IT department wipe and reconfigure every computer in their network in an around-the-clock effort. With their internet-based phone system offline, Leffler said, “We literally went to Best Buy and bought every walkie-talkie they had.”

A medical worker in full PPE reads a message on a computer screen while with a covid patient at UMass Memorial Medical Center in Worcester, Massachusetts in January 2022.
A medical worker in full PPE reads a message on a computer screen while with a COVID patient at UMass Memorial Medical Center in Worcester, Massachusetts in January 2022.Joseph Prezioso/AFP via Getty Images

“I’ve been an emergency medicine doctor for 30 years,” Leffler told lawmakers. “I’ve been a hospital president for four years. The cyberattack was much harder than the pandemic by far.”

While fewer health care organizations paid ransoms in 2023 (40%) than in 2022 (51%), the average ransom payment paid by health care organizations increased by nearly 30% to almost $1 million, according to the Proofpoint report.

Health care faces a range of complicated threats beyond ransomware. The industry’s reliance on medical device vendors and health care software companies exposes it to what are known as supply-chain attacks, where hackers breach a company to get access to that company’s customers. In the past two years, Proofpoint found, 64% of respondents reported experiencing an average of four supply-chain attacks, and 77% of those organizations said the attacks affected patient care.

At half of the organizations that experienced supply-chain attacks, the disruptions led to more severe illnesses because of delayed procedures.

#Hospitals #Health #Care #Organizations #Faced #Cyberattacks #Year