Ransomware, Supply chain, Risk Assessments/Management

Report: Ransomware is a patient mortality risk, driven by COVID, third-party vendors

NEW YORK, NY – APRIL 04: Health workers walk with a patient outside of Mount Sinai Hospital which has seen an upsurge of coronavirus patients on April 04, 2020 in New York City.  Hospitals in New York City, which has been especially hard hit by the coronavirus, are facing shortages of beds, ventilators and protective equipment for medical staff. Cu...

A new report from the Ponemon Institute reinforces the patient safety risks posed by ransomware attacks: 22% of surveyed providers saw an increase in the rate of mortality in their health care organization after a cyberattack. The driving factors include the COVID-19 response and security gaps within the third-party vendor ecosystem.

“The possible adverse impact on patient care due to third-party risks is the biggest pain point in organizations,” according to the report. “Cyberattacks have resulted in more extended hospital stays and delays in procedures and tests that have resulted in poor outcomes.”

For the Censinet-sponsored report, Ponemon researchers surveyed 597 IT and IT security professionals from health care delivery organizations (HDO) to assess the impact of COVID-19 and the rise in cyberattacks like ransomware on patient care and patient data security.

Industry stakeholders have long warned of the imminent risk to patient safety posed by cyberattacks and the downtime brought on in response.

But outside of a 2019 report, data on specific mortality incidents have remained sparse, driving the need for threat sharing and first-hand accounts to better inform the industry on specific scenarios increasing the risk of patient harm. In multiple attacks this years, patients reported facing long wait times, delayed appointments, canceled surgeries, and other care challenges brought on by ransomware-induced network outages.

With Ponemon’s report, health IT leaders confirm the direct link between cyberattacks and patient care through providers’ experiences. In the last two years, 43% of the surveyed health care organizations experienced a ransomware attack, with 33% falling victim to two or more attacks.

Of those providers, 71% reported an increase in the length of stay and 70% saw delays in procedures and tests that spurred poor care outcomes. Another 65% found an increase in patients transferred or diverted to local care sites as a direct result of an attack, with 36% reporting increased complications from medical procedures.

For more than half of respondents, patient safety was named the largest concern after an attack, followed by care disruption. “Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on health care providers,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.

Third-party vendors adding to overall risks

The report saw a number of factors increasing the risk and overall lack of preparedness in health care. Prior to the pandemic, 55% of providers felt able to manage ransomware risks. But as COVID-19 worsened, 61% of respondents reported feeling no confidence or not confident they’d be able to adequately respond to an attack.

During the height of the pandemic, credential theft attacks saw the biggest spike in health care for 60% of organizations, followed by compromised or stolen devices (55%) and account takeover attacks (43%).

As many reports have shown, the national emergency introduced a host of new risk factors to delivery organizations, such as the rapid adoption of remote work, new services and devices quickly implemented to support IT, staffing challenges, and elevated care requirements.

But third-party risk was seen as the driving force for response challenges and security risks, both before and amid the pandemic. Of the organizations that faced a ransomware attack within the last two years, 36% said it was a third-party that caused it.

The leading cause of vendor management challenges is the complexity of the technologies that support risk management and the lack of skilled personnel, according to the report.

The average number of third-party vendors contracted with a single organization is about 1,950. In the next year, the average number will jump to 2,541. As health care continues to digitize and shift into greater interoperability, these challenges will persist — particularly with devices that hold a range of components not developed by the provider organization.

“Third-party products and services are a necessary and critical part of the IT blueprint, but each brings another set of risk factors to the table,” according to the report. “The risk created by the third party or the [organization’s] use of the third party needs to be managed. The burden is on the [entity] to perform assessments throughout their relationship with the third party.”

However, 44% of respondents said their third-party risk assessments are only partially accomplished by their organization. Just 40% of providers said their organization completes a third-party risk assessment before contracting with a vendor.

Even worse: 38% said their leadership team ignores the assessment findings. And while reassessments are crucial to maintaining secure, vendor relationships, 53% admitted their organization only conducts reassessments on demand or without a routine schedule.

The results of these security mishandlings are evident: with 60% of the surveyed organizations experiencing a data breach within the last two years.

But COVID-19 spurred some positive reactions within health care with an increase in staff and demands for more risk assessments. For half of these organizations, the third-party risk management program has been completely or partially outsourced to a managed service provider in direct response to the pandemic.

Just 30% said that nothing has changed to their organizations’ risk management.

“The combination of data breaches, ransomware attacks, and COVID-19 has created the perfect cybersecurity storm and the worst two years on record for IT and security leaders in health care,” Ed Gaudet, CEO and founder of Censinet, said in a statement.

“The Ponemon Research results are an urgent wake-up call for the health care industry to transform its cybersecurity and third-party risk programs or jeopardize patient lives,” he continued.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.