Posted By HIPAA Journal on Sep 27, 2021
While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack.
Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted.
While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents said their organization had suffered a ransomware attack, and out of those, 67% said they had one while 33% said they had more than one.
The study, which was sponsored by Censinet, involved a survey of 597 healthcare organizations including integrated delivery networks, community hospitals, and regional health systems. The cost of ransomware attacks on the healthcare industry had been determined in a previous Ponemon Institute survey, with the data presented in the IBM Security Cost of a Data Breach Report. In 2021, costs had risen to an average of $9.23 million per incident. The Censinet study sought to determine whether these attacks had a negative impact on patient safety while also seeking to understand how COVID-19 has impacted the ability of healthcare organizations to protect patient care and patient information from ransomware attacks.
COVID-19 introduced many new risk factors, such as an increase in remote working and new IT systems to support those workers. Patient care requirements increased, and COVID-19 caused staff shortages. The survey confirmed that COVID-19 has affected the ability of healthcare organizations to defend against ransomware attacks and other increasingly virulent cyberattacks. Prior to COVID-19, 55% of healthcare organizations said they were not confident they would be able to mitigate the risks of ransomware, whereas now, 61% of healthcare organizations said they are not confident or have no confidence in their ability to mitigate the risks of ransomware.
These attacks were found to be negatively affecting patient safety. 71% of respondents said ransomware attacks resulted in an increased length of stay in hospitals and 70% said delays in testing and medical procedures due to ransomware attacks resulted in poor patient outcomes. Following an attack, 65% of respondents said there was an increase in the number of patients being redirected to alternative facilities, 36% said they had increases in complications from medical procedures, and 22% said they had an increase in mortality rate after an attack.
One of the factors that has contributed to a higher risk of a ransomware attack occurring is the increased reliance on business associates for digitizing and distributing healthcare information and providing medical devices. On average, respondents said they work with 1,950 third parties and that number is expected to increase over the next 12 months by around 30% to an average of 2,541.
Business associates of healthcare organizations are being targeted by ransomware gangs and other cybercriminal organizations. Cybersecurity at business associates is often weaker than their healthcare clients, and one attack on a business associate could provide access to the networks of multiple healthcare clients.
Even though working with third parties increases risk, 40% of respondents said they do not always complete a risk assessment of third parties prior to entering into a contract. Even when risk assessments are conducted, 38% of respondents said those risk assessments were often ignored by leaders. Once contracts have been signed, over half (53%) of respondents said they had no regular schedule of conducting further risk assessments or that they were only conducted on demand.
Censinet recommends creating an inventory of all vendors and protected health information. It is only possible to ensure systems and data are secured if accurate inventories are maintained. Workflow automation tools are useful for establishing a digital inventory of all third parties and PHI records. These tools should also be used for creating an inventory of medical devices. Medical devices can provide an easy entry point into healthcare networks, so it is essential that these devices are secured. Only 36% of respondents said their organization knew where all medical devices were located, and only 35% said they were aware when those devices would reach end-of-life and would no longer be supported.
The report recommends conducting a thorough risk assessment of a vendor prior to entering into a contract, and then conducting periodic risk assessments thereafter and ensuring action is taken to address any issues identified. Further investment in cybersecurity is required specifically to cover re-assessments of high-risk third parties, as currently, only 32% of critical and high-risk third parties are assessed annually, and just 27% are reassessed annually.
The report also strongly recommends assigning risk accountability and ownership to one role, which will help to ensure an effective enterprise risk management strategy can be adopted and maintained.
Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist in legal and regulatory affairs and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.