The new report from Proofpoint not only provides further evidence of a correlation between cyberattacks and increased patient mortality but also suggests healthcare organizations are better prepared and more resilient against security incidents.
In 2018, Dr. Sung Choi – a research professor at Vanderbilt University’s Owen Graduate School of Management – presented a paper to a cyberrisk quantification conference hosted by Drexel University’s LeBow College of Business in Philadelphia demonstrating a correlation between cyberattacks and increased patient mortality.
The paper was the result of an analysis of pre-breach and post-breach patient outcomes across 3,025 hospitals between 2012 and 2016 focusing on patients with acute myocardial infarction. The analysis found that, in breached hospitals, the patient mortality rate increased significantly – resulting in an additional 2,160 deaths each year.
Interestingly, the increased patient mortality rate was not attributed to point-in-time or ongoing cyberattacks, but rather the remediation measures put in place by the hospitals as the result of a cyberattack to enhance security. Because of these measures, Choi found it took longer to administer an electrocardiograph to a newly admitted patient, access the EHR, order, review, and execute the EHR, and start treatment for the patient.
Choi Paper Supported by CISA Analysis
Subsequently, while investigating the October 2020 University of Vermont Health Network ransomware attack, the Cybersecurity and Infrastructure Security Agency (CISA) found that hospitals who were not connected the Network´s IT-systems experienced less “hospital strain”, less degraded hospital services, and fewer excess deaths than those who were connected.
While the long-term consequences of the cyberattack were measured over a far shorter period than Choi´s paper – and the cyberattack occurred during the peak of Vermont´s first COVID-19 wave – the CISA´s analysis strengthened the correlation between cyberattacks and increased patient mortality identified in Choi´s paper, prompting CISA Senior Advisor Josh Corman to state:
“You’re reaching that danger zone where you’re going to see excess deaths two, four, and six weeks later more quickly. Water is wet, fire is hot, and we can now tell that cyber disruption introduces degraded or delayed patient care,”
Corman commented that the findings of the analysis would likely be true even if the cyberattack had not occurred during the peak of the first COVID-19 wave, while the Chief Quality Officer for New York´s Northwell Health Network – Mark Jarrett – added “Clinicians in general tend to this of this as an information technology issue, and it really isn´t. It´s a patient safety issue”.
Further Evidence in New Proofpoint Report
Over the past few years, various reports have been produced by security software vendors suggesting a correlation between cyberattacks and increased patient mortality, but a new report conducted by the Ponemon Institute on behalf of Proofpoint extends the scope of previous reports to include cyberattacks on supply chains and the impact these have on increased patient mortality.
With regards to cyberattacks on supply chains, 50% of respondents to the Ponemon Institute´s survey said their organizations had an attack against its supply chain, and 70% of those said it disrupted patient care. The most common negative outcomes were an increase in the severity of an illness (54%) and a longer length of stay (51%). Alarmingly, 23% of respondents reported an increase in patient mortality due to a supply chain cyberattack. Other key takeaways from the report include:
- 67% of respondents said a BEC attack and/or a ransomware attack disrupted patient care.
- 59% of those who experienced a ransomware attack said it resulted in a longer length of stay.
- 64% of those who experienced a ransomware attack said the attack caused delays in procedures and tests that resulted in poor outcomes.
- 24% of respondents who experienced a ransomware attack said the attack increased the patient mortality rate.
How Healthcare Organizations are Better Prepared
While the Proofpoint report includes some frightening statistics with regards to the correlation between cyberattacks and increased patient mortality, if you read between the lines, it appears healthcare organizations are better prepared and more resilient against security incidents that they were during the period analysed by Dr Choi for his paper.
For example, 60% of respondents to the Ponemon Institute´s survey said they have adopted a multi-layered approach to data security and use threat intelligence solutions to mitigate the risk of a security incident. 79% of respondents had implemented adaptive access controls to protect users most at risk, while 78% used strong authentication controls and 74% used multiple identity federation standards.
Admittedly, some have more work to do to bring their security up to scratch. Only 63% of respondents said they conducted regular security and awareness training (a requirement of the HIPAA Security Rule), while 59% of respondents said their organizations monitor workforce online activity (another requirement of the HIPAA Security Rule if workforce members are accessing ePHI).