Over the past several years, the number of ransomware attacks on healthcare organizations has continued to grow. Worse, these attacks are beginning to impose direct harm on patients.
Despite the critical nature of these threats and the intense need to shut them down, healthcare IT leaders have been struggling to keep up.
Now, with COVID-19 having imposed a heavy burden on healthcare IT organizations, they seem even less certain that they can beat back ransomware. According to a new study by Ponemon Institute that was commissioned by Censinet, the number of health IT leaders who don’t feel confident that they can fight ransomware adequately is growing.
To conduct the study, Ponemon surveyed 597 IT and IT security pros working in health care delivery organizations, which the researchers define as being entities that deliver clinical care and rely upon the security of third parties with whom they contract services and products. These include integrated delivery networks, regional health systems, community hospitals, physician groups and payers.
Over the last two years, 43% of respondents said that their healthcare delivery organizations had experienced a ransomware attack. Of those targeted, 67% experienced one attack and 33% were hit two times or more.
Attacks such as credential theft (60% of respondents) and compromise of devices (55%) have increased since COVID-19. Other forms of ransomware attacks that have increased include account takeover, denial of service, malicious insiders and advanced malware/zero-day attacks.
Not surprisingly, 69% of respondents said that COVID-19 had directly impacted their organization’s ability to manage third-party risk. In response to the demands COVID has imposed, 63% of respondents have added more staff and demand for risk assessments has increased (60% of respondents). Meanwhile, 50% of respondents said their third-party risk management program had been completely or partially outsourced.
And these attacks did more than gum up the networks or enterprise computing functions. Respondents said that ransomware attacks had a significant effect on patient care, including longer lengths of stay (71% of respondents), delays in procedures and tests (70% of respondents). Increase inpatient transfers or facility diversions (65% of respondents). These groups also saw an increase in complications from medical procedures and mortality rates (36% of respondents).
Adding to the complexity of the picture, these health care delivery organizations are increasingly likely to rely on technology not developed in-house, which brings new layers of risk to the table. These additional risks need to be managed at each stage of the relationship with third parties.
Unfortunately, it seems that the third-party risk problem will only continue to get worse going forward. These health care delivery organizations are forecasting that the number of third parties with which they contract should increase 30% over the next 12 months.
All told, with COVID issues piled on, it seems the threat posed by ransomware has grown nastier. Let’s hope we can catch up sometime soon.
