68% of healthcare workers experienced a supply chain attack

The effect of cybersecurity incidents on healthcare organizations was analyzed in a recent Proofpoint report. The report finds that 92% of healthcare organizations surveyed experienced at least one cyber attack in the past 12 months, an increase from 88% in 2023, with 69% reporting disruption to patient care as a result.

Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain and business email compromise (BEC) – 56% reported poor patient outcomes due to delays in procedures and tests, 53% saw an increase in medical procedure complications and 28% say patient mortality rates increased — an increase of five percentage points over last year. 

The report, which surveyed 648 information technology and security practitioners in United States healthcare organizations, found that supply chain attacks are most likely to affect patient care. More than two-thirds (68%) of respondents said their organizations had an attack against their supply chains, of which 82% said it disrupted patient care, an increase from 77% in 2023. BEC leads the group of attacks most likely to result in poor outcomes due to delayed procedures and tests (69%), followed by ransomware (61%), which was also most likely to result in longer lengths of stay (58%) and increase in patients diverted or transferred to other facilities (52%).

More than half (54%) of respondents believe their organizations are vulnerable or highly vulnerable to a ransomware attack, a decline from 64% in 2023. Organizations that had ransomware attacks (59% of respondents) experienced an average of four such attacks over the past two years. While fewer organizations paid the ransom (36% in 2024 vs. 40% in 2023), the ransom paid spiked 10% to an average of $1,099,200 compared to $995,450 in the previous year.

Concerns about insecure mobile apps (eHealth) have increased to become the top cybersecurity threat in healthcare, increasing from 51% in 2023 to 59% of respondents in 2024. Cloud/account compromise was the second biggest concern (55%), and text messaging was the most attacked collaboration tool (61%) followed by email (59%). Organizations are less worried about employee-owned mobile devices or BYOD.

More than nine in 10 organizations surveyed had at least two data loss or exfiltration incidents involving sensitive and confidential data within the past two years. 51% said a data loss or exfiltration incident impacted patient care; of those, 50% experienced increased mortality rates and 37% saw delays in procedures and tests that resulted in poor outcomes. Over the past two years, organizations experienced an average of 20 such incidents with employees as the primary root cause. Employee negligence because of not following policies (31%), accidental data loss (26%) and employees sending PII and PHI to an unintended recipient via email (21%) were top three.

While 55% of respondents say their organizations’ lack of in-house expertise is a primary deterrent to achieving a strong cybersecurity posture, the lack of clear leadership as a challenge increased significantly since 2023 from 14% to 49% of respondents. Not having enough budget decreased from 47% to 40% of respondents in 2024.

While more organizations (71% in 2024 vs. 65% of respondents in 2023) are taking steps to address the risk of employees’ lack of awareness about cybersecurity threats, are they effective in reducing the risks? Nearly three in five respondents (59%) indicate they conduct regular training and awareness programs.

More than half (54%) of respondents say their organizations have embedded AI in cybersecurity (28%) or embedded it in both cybersecurity and patient care (26%). Fifty-seven percent of these respondents say AI is very effective in improving organizations’ cybersecurity posture, and more than one-third (36%) use AI and machine learning to understand human behavior.

Read the report