Ransomware attacks continue to rise, and they're hurting patients: Survey

Information technology pros said the attacks are causing more health complications, and many say they’ve had to transfer patients or have seen longer hospital stays.

More healthcare organizations say they are being hit with ransomware attacks, and more say they are having an impact on patient care.

Those are key takeaways from a new survey released by the Ponemon Institute. The survey was commissioned by Censinet, a cybersecurity firm. The institute surveyed 579 information technology professionals at healthcare organizations in the fourth quarter of 2022 and the findings were released Nov. 18.

Nearly half (47%) said their organizations said they experienced a ransomware attack in the past two years, up from 43% in 2021. Hospital leaders have said they have been seeing more ransomware attacks in recent months.

More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021. More than half of those surveyed (53%) say a ransomware attack resulted in a disruption in patient care.

About one in five respondents (21%) said ransomware attacks had an adverse attack on mortality rates, a slight drop from 2021 (22%).

Among other patient impacts, more than two-third of IT professionals (70%) said patients had to be transferred or diverted to other facilities, and 68% said the attacks led to patients having longer stays in the hospital.

“Ransomware continues to shut down hospital operations and disrupt care at an alarming rate,” Ed Gaudet, CEO and founder of Censinet, said in a statement accompanying the report.

Healthcare leaders have been increasingly calling for hospitals and health systems to deal with cybersecurity as a threat to patient care, in addition to the financial and reputation costs.

IT professionals say there is a significant rise in ransomware attacks triggered through a third party. Among those reporting they experienced a ransomware attack, 46% said it was triggered by a third party, up from 36% in 2021.

The average ransom payment has increased to $352,541, up from $282,675 two years ago, the report said.

Cybersecurity experts say the cost to healthcare organizations go well beyond ransom payments when factoring in added expenses in manpower and in implementing other protections. The average healthcare breach now costs more than $10 million, according to a July 2022 report from IBM Security.

On the upside, more organizations say they are taking steps to deal with ransomware attacks.

The survey found 60% of respondents said their organizations have business continuity plans in the event of ransomware attack, up from 54% in 2021. And 33% said they have increased funds for a possible ransomware attack, up from 23% in 2021.

Healthcare organizations reported hundreds of cyberattacks and data breaches in 2022, and those incidents affected millions of Americans.

The survey made a case for organizations to engage in benchmarking cybersecurity measures with other peer organizations as a useful tool in building stronger protections.

More than three out of four respondents (78%) said benchmarking is useful in demonstrating the effectiveness of cybersecurity programs, while more than half (52%) said benchmarking improves cybersecurity programs.

Read more cybersecurity coverage from Chief Healthcare Executive

Hospitals must do more to improve cybersecurity

How hospitals can improve their cybersecurity