Ransomware and other destructive cyberattacks on healthcare delivery organizations (HDOs) can cripple IT systems, prevent access to protected health information, and often see appointments cancelled and patients redirected to other healthcare facilities. The disruption caused and lack of access to patient data can impact patient safety, and while there have been no reported cases in the United States of patients dying as a direct result of a ransomware attack, it is only a matter of time before attacks directly cause fatalities.
Recently, a study was conducted to explore the impact ransomware and other cyberattacks are having on patient safety and how COVID-19 has affected the ability of HDOs to defend against the attacks. The study was commissioned by Censinet and was conducted on 597 HDOs such as regional health systems, community hospitals, and integrated delivery networks by the Ponemon Institute.
Ransomware attacks on healthcare organizations increased significantly in 2020 and the increase has continued in 2021. During that time, HDOs have had to deal with the challenges created by the SARS-CoV-2 pandemic. HDOs had to increase the number of staff working remotely, introduce new systems to support remote workers, and patient care requirements increased while many HDOs experienced staff shortages.
The study confirmed that confidence in the ability to defend against attacks has fallen. Prior to COVID-19, 55% of respondents said they were not confident in the ability of the HDO to defend against attacks. In the COVID-19 era, 61% of respondents said they had no confidence or low confidence in the ability of their HDO to defend against attacks. 43% of respondents said their HDO had suffered a ransomware attack in the past 2 years, with 67% of those experiencing one attack and 33% experiencing more than one attack.
Ransomware attacks were shown to have an impact on patient safety. 71% of respondents reported an increase in the length of hospital stays following a ransomware attack, 70% said delays in medical procedures and testing after an attack resulted in poor patient outcomes, and 36% reported a rise in complications from routine medical procedures after an attack. Almost a quarter (22%) of HDOs said they had an increase in patient mortality after a ransomware attack.
HDOs often use third parties to provide services related to digitizing and distributing healthcare information and supplying medical devices. The study revealed an HDO typically works with 1,950 third parties and in the next 12 months it has been predicted the average number of third parties working with HDOs will increase to 2,541.
An attack on a business associate can provide a hacker with access to the networks of multiple healthcare clients, as the attacks on Blackbaud and Kaseya clearly demonstrated, and cyberattacks on business associates of HDOs have been increasing. Working with third parties introduces new risks, and with so many business associates providing services to HDOs that require access to healthcare systems or contact with protected health information (PHI) it is essential that those risks are identified and mitigated; however, the study revealed risk assessments are not always being conducted on new vendors.
40% of respondents said risk assessments on third parties is not always conducted prior to signing a contract. 38% said that when risk assessments are conducted, leaders often ignore the assessments. After a contract has been signed, 53% of respondents said risk assessments were only conducted on demand or there was no regular schedule.
The number of networked medical devices in use at HDOs has been increasing and these devices can provide an easy way for hackers to gain access to healthcare networks. Just 36% of respondents said their organization was aware where all their medical devices were located, and 35% said they were unaware when the devices will reach end-of-life.
Addressing third party risk should be a priority for HDOs. The report recommends creating an inventory of all third parties, protected health information, and medical devices. To help achieve this, workflow automation tools should be used, and adequate resources should be devoted to securing devices and ensuring risk assessments are conducted on third parties.
To help achieve this, risk accountability and ownership should be assigned to one role, as this will help to ensure an effective enterprise-risk management strategy can be implemented and maintained.
It is also vital to conduct a risk assessment prior to signing any contract with a third party, and to ensure that regular reassessments take place. Only 32% of critical and high-risk third parties are assessed annually by the average HDO, and just 27% of third parties are reassessed annually.