Dive Brief:

• About one in four providers say their organizations saw an increase in mortality rates following a ransomware attack, according to a new survey from the Ponemon Institute.
• The study, sponsored by Boston-based health data security company Censinet, found the COVID-19 pandemic has resulted in less confidence among providers in mitigating risks posed by ransomware. Of the health delivery organizations (HDOs) surveyed, 61% have been victims of ransomware attacks, and of those that have been hit, 33% have been hit more than once. Meanwhile, 61% of providers aren't confident in their ability to combat ransomware, up from 55% pre-COVID-19.
• Medical devices rely on network connectivity and medtech insecurity can have an adverse impact on patient care, Ponemon warned. Only 36% of HDOs surveyed said their organizations are effective in knowing where all medical devices are, 35% indicated they know when a medical device vendor’s operating system is end-of-life or out-of-date, while 29% of respondents said they know the non-planned expense of medical device OS patches. 

Dive Insight:

Hacks and data breaches always pose a threat to business operations or finances, but are particularly dangerous in healthcare, where they could potentially harm the quality of patient care. Cybersecurity experts have been warning that attacks using ransomware, a type of malware that encrypts a victim's files, rendering them inaccessible to their owner unless a ransom is paid to decrypt them, have been growing in the healthcare industry over the past few years without a corresponding increase in security measures.

And the pandemic has injected further volatility into the picture, as staffing challenges and increasing patient acuity are combining with new attack surfaces and infiltration points for bad actors with the rise of remote work, greater adoption of digital health tools and connected medical devices. The combination of these factors has created the "perfect cybersecurity storm," according to Ed Gaudet, Censinet's CEO.

Aging medtech still operating in the field and increasingly sophisticated cybercriminal tactics are leaving healthcare organizations highly vulnerable to attacks. Legacy devices are using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates.

Nick Yuran, CEO of security consultancy Harbor Labs, said in the current threat environment no medical device manufacturer "would be comfortable knowing they have unpatched devices with known vulnerabilities deployed on a medical network." Yuran contends that device makers are going to "great lengths" to ensure they can quickly communicate new vulnerabilities to their end users and are encouraging healthcare delivery organizations to take medtech cybersecurity more seriously.  

However, Chris Gates, director of product security at medical device engineering firm Velentium, called the Ponemon survey an "amazing and depressing summary of the sorry state" of healthcare delivery organizations and medtech cybersecurity.

There exists "a wide spectrum of how HDOs address cybersecurity, from a hospital in Ohio where the guy who mows the lawn is also the same guy who sets up their network to Mayo Hospital a leader in all aspects of cybersecurity," Gates said. "I had hoped the majority was closer to Mayo than the 'lawnmower man' and this report proves my hopes are wrong," Gates said. "HDOs appear to be busy doing nothing."

Yuran agrees that the primary focus of healthcare delivery organizations is "on the clinical function" of their medical devices "not the IT characteristics and even less the security posture of those devices."

Making matters worse is a sharp growth in third party ties, Ponemon found. Providers expect the number of third parties they contract with for software, services and hardware to grow at an annual rate of 30%, from 1,950 up to 2,541 in the next 12 months. Of the third parties, 43% have access to patients' personal health information, putting providers at higher risk of a breach or hack.   

However, tying ransomware attacks to a corresponding decline in care outcomes is tricky. The Ponemon study of health delivery organizations is one of the first finding a direct impact on patient care down the line, and comes roughly a year after a patient died as a result of delayed care after University Hospital Düsseldorf in Germany was forced to turn them away from its emergency room after a ransomware attack — thought to be the first instance of death by ransomware.

Along with an increase in mortality, the survey of roughly 600 providers also found ransomware resulted in more complications from medical procedures, delays in procedures and tests resulting in poor outcomes, an increase in patients being transferred or diverted to other facilities and longer patient lengths of stay.

"Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers," said Larry Ponemon, founder of the Ponemon Institute, a research group.

Greg Slabodkin contributed reporting.