Disruptive cyberattacks against healthcare on the rise, with increasing impacts to patient care, survey finds

Reports of recent cyberattacks and disruptions in patient care have ticked up among healthcare organizations since 2023, with the average attack bringing just under $1.5 million in operational disruptions, according to a new survey analysis.

Among 648 IT and security practitioners polled this spring, 92% said their organization had faced at least one cyberattack in the prior 12 months, up from 88% in 2023.

Sixty-nine percent said an attack led to care disruptions, with cited impacts including delays (56%), procedure complications (53%), longer stays (52%), an uptick in transfers or diversions (44%) and higher mortality (28%).

“This report underlines that cyber safety is patient safety; protecting healthcare systems and medical data from cyber attacks is critical to ensuring continuity in patient care and avoiding disruption of critical services,” Ryan Witt, chair of the healthcare customer advisory board at cybersecurity firm Proofpoint, which co-authored the report with IT security research group Ponemon Institute, said in a release.

Respondents pointed to supply chain attacks as the most disruptive to patient care. Specifically, 68% said they had faced such an attack and 82% said it disrupted care—up slightly from 2023’s 77%.

Attacks targeting cloud networks or accounts were most frequently reported by the respondents but were the least likely to result in patient care disruptions. Respondents still listed these as the second largest threat to their organizations behind concerns over insecure mobile apps.

The groups’ findings around ransomware attacks, a high-profile focus for the industry, were somewhat mixed.

On one hand, the portion of respondents who said their organization is vulnerable to ransomware dipped from 64% in 2023 to 54% in the most recent survey. The portion who reported ever experiencing a cyberattack grew 5 percentage points from 2023 to 2024—smaller than the 13 percentage point jump from 2022 to 2023—to 59%.

Those who did experience attacks reported an average of four within the past two years. Fewer organizations reported paying out a ransom compared to last year (36% versus 40%), though the average of an organization’s costliest paid ransom rose 10% to nearly $1.1 million.

As for patient care, 70% of those who experienced a ransomware attack said it had an impact on patient care, and 29% said it increased mortality rates at their organization, up from 68% and 28%, respectively, in 2023.

Finally, respondents’ with concerns about business email compromise, spoofing and impersonation attacks at their organization dipped from 61% to 52%. Fifty-seven percent said their organization experienced an average of four such attacks within the past two years, with many reporting these cyberattacks as more likely than others to delay procedures and tests for patients.

“For the third consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, said in a release. “The good news, however, is the healthcare industry seems to increasingly recognize the importance cybersecurity plays in patient outcomes; on average, IT budgets have increased, and fewer IT practitioners indicate that budget is a challenge in keeping their organization’s cybersecurity posture from being fully effective.”

Proofpoint and Ponemon’s survey mainly captured responses from providers (43%) and insurers/payers (39%). Nearly 70% of respondents were supervisor level or above.

A September report from KLAS Research and Bain & Company found about three-fourths of polled providers and payers had increased IT investments over the past year. Many cited the Change Healthcare cyberattack near the top of the year as an impetus for increased cybersecurity spending.

The federal government has also signaled an interest in raising the bar for healthcare cybersecurity, whether that be through regulatory policy or legislative funding