The Traverse City, Mich-based Ponemon Institute, an independent research firm, recently released a report entitled “The Impact of Ransomware on Healthcare During COVID-19 and Beyond.” The report is sponsored by the Boston, Mass.-based Censinet.
The report was commissioned by Censinet, a third-party risk management platform for healthcare providers, due to the large rise in patient care organizations, which the report refers to as health delivery organizations (HDOs), contacting the company after ransomware attacks or other cybersecurity incidents, and the attacks’ relationship to the COVID-19 pandemic. Additionally, Censinet noticed that much of the coverage of healthcare cybersecurity issues were not focused on patient care and the company was looking for additional parallels to the increase in third parties that are an essential part of the care process.
Significantly, fully 67 percent of patient care organizations have now been victims of ransomware attacks, with 33 percent having already been hit at least twice.
According to the report, “The Ponemon Institute surveyed 597 HDOs for this report, including integrated delivery networks, regional health systems, community hospitals, and more. The Ponemon Institute conducted the research, analyzed the results, and produced the report. Ponemon is one of the top independent research firms for the healthcare industry. It was 100% independent. Censinet had no role in the research and did not have access to or know any of the participants.”
Further, “The purpose of this research is to understand how COVID-19 has impacted how healthcare delivery organizations protect patient care and patient information from increasing virulent cyberattacks, especially ransomware. Prior to COVID-19, 55 percent of respondents say they were not confident they could mitigate the risks of ransomware. In the age of COVID-19, 61 percent of respondents are not confident or have no confidence.”
Key findings from the report include:
- When asked about what impacts ransomware had on patient care, 71 percent of respondents reported a longer length of stay and 22 percent reported an increase in mortality rate
- When asked about the biggest concerns about ransomware resulting from their organization’s third-party risk management program (three responses could be selected), 54 percent said patient safety, 53 percent said care disruption, and 45 percent said ransomware
- When asked what actions respondents were taking to ease their concerns (more than one response was permitted), 50 percent said outsourcing part or all of the functions to a managed service provider, 46 percent said allocating more budget toward risk management, and 44 percent said they were looking for automated solutions to improve efficiency
- When asked about the biggest barriers to achieving their organization’s vendor risk management objectives (three responses were allowed), 47 percent said complexity of technologies that support vendor risk management, 44 percent said difficulty hiring personnel with the right skills, and 43 percent said lack of cooperation and collaboration among various departments
- Sixty percent of those surveyed reported credential theft increased when asked about what type of cyberattacks had increased since COVID-19, 55 percent said compromised/stolen devices, and 43 percent said account takeover (more than one response was permitted)
The report has several recommendations for mitigating ransomware and third-party risks. “Ensure critical steps for identifying and mitigating third-party risks are in place,” the report states. “Sixty percent of organizations represented in this research had a data breach in the past two years, resulting in an average of 28,505 records containing sensitive and confidential information compromised. According to the research, organizations can only partially evaluate the various threats targeting their assets and IT vulnerabilities. They also lack the capability to continuously monitor vendor risks.”