Ransomware attacks impact patient care, including increased mortality rates, report finds

Concept of a digital Lock. Cyber internet security and privacy concept.
Third parties are necessary to help manage the IT infrastructure of an organization, but they potentially open organizations up to risks like data breaches. (JuSun/GettyImages)

Nearly a quarter of healthcare providers report increased mortality rates following ransomware attacks, a new report finds.

Ransomware impacts patient care in more ways than one, with 70% or more of healthcare organizations reporting a longer length of stay or delays in procedures that lead to poor outcomes, according to a Ponemon Institute report.

A majority of organizations also report an increase in patient transfers, while more than a third report increased complications from medical procedures.

Healthcare delivery organizations are under siege, as 67% have been victims of ransomware attacks. One-third of those said they experienced two or more.

Less than half of respondents completed a risk assessment of their third-party security vendor before contracting with them. And more than a third said their assessment conclusions were ignored, the report found.

For the first time, the research shows that ransomware attacks on healthcare organizations may have life-or-death consequences. Nearly 1 in 4 healthcare providers reported an increase in mortality rate due to ransomware. The onset of COVID-19 introduced new risk factors to healthcare delivery organizations, including remote work, new systems to support it, staffing challenges and elevated patient care requirements, the report found.

RELATED: Relentless cyberattacks are putting financial pressure on hospitals: Fitch Ratings

“Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers,” said Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, in a statement.

"The combination of data breaches, ransomware attacks, and COVID-19 has created the perfect cybersecurity storm and worst two years on record for IT and security leaders in healthcare,” said Ed Gaudet, CEO and founder of Censinet, IT risk solutions provider that worked with the Ponemon Institute on the research.

The research results are an "urgent wake-up call" for the healthcare industry to transform its cybersecurity and third-party risk programs or jeopardize patient lives.

The Ponemon Institute, a research center focused on data protection,  surveyed IT professionals at nearly 600 healthcare organizations, defined as entities that provide clinical care and rely on third-party security contractors. These organizations include health systems, physician groups and payers.

While the average number of third-party tech contractors whose services organizations employ is 1,950, that is expected to grow to 2,541 on average over the next year, the analysis forecasts. About 43% of these vendors have access to personal health information, putting healthcare delivery organizations at additional risk for both data breaches and ransomware attacks.

To help mitigate these risks, the Ponemon Institute recommends investing in resources to establish a digital inventory of all third parties and protected health information records to know what is being accessed at all times. Leveraging automation and resources to conduct more frequent risk assessments is also encouraged, as is assigning risk accountability and ownership to one role.