The Impact of Cyber Insecurity in Healthcare: A Deep Dive into the Findings of the 2023 Proofpoint and Ponemon Study

In collaboration with Ponemon, Proofpoint conducted a study involving 653 IT and IT security practitioners in healthcare.¹ The "Study on Cyber Insecurity in Healthcare 2023" provided intriguing findings, comparing them to responses from 2022. A shocking 88% of organizations reported an average of 40 attacks in the past year, with cloud compromises and BEC/spoof phishing attacks being the main concerns. The report examines five threat areas: ransomware, business email compromise attacks, malicious insider-led data loss, supply chain attacks, and cloud compromise attacks.

(Image Source: Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023)

Ransomware

Despite countless news headlines, ransomware is no longer considered a top threat in the 2023 findings. Only 48% of respondents reported being most worried about these attacks, a decrease from 60% in 2022. However, 64% still believe their organizations are vulnerable. Over the past two years, 54% of respondents encountered an average of four ransomware attacks. Although many ransomware groups no longer encrypt files or systems, attacks still impact patient care.

Business Email Compromise

BEC/spoofing attacks are a growing concern. In 2023, 62% of respondents reported vulnerability and concern about BEC/spoof phishing, up from 46% in 2022. Surprisingly, only 45% of organizations have measures or plans to prevent or respond to a BEC attack.  

Data Loss and Exfiltration Incidents

The survey provided interesting insider/employee statistics on Data Loss and Exfiltration:

• Malicious insiders are the primary cause, yet only 32% claimed to be prepared to prevent and respond to this threat.
• Accidental data loss ranked as the second most common cause, reported by 27% of respondents.
• 25% of incidents were attributed to employees not following policies, and 16% remained unexplained.
• 47% expressed great concern about employees' lack of understanding regarding the sensitivity and confidentiality of shared data via email.

All organizations experienced at least one incident of data loss or data exfiltration, with an average of 19 such incidents. When asked whether their organizations included prevention and response to careless insiders as part of their cybersecurity strategy, 44% responded affirmatively. Only 32% indicated the inclusion of prevention and response to the threat of malicious insiders. When queried about the effectiveness of data loss prevention solutions, only 35% reported their solutions were very effective in preventing incidents caused by employees, and only 39% reported their solutions were effective in preventing loss caused by malicious insiders.

Matt Fisher summed it up well in his “Security is Essential for Healthcare” post,

 “The responses about the impact on patient care and safety are of particular note. Both the responses and reporting following a breach continue to show a compromise to the ability to deliver services, which in turn carries longer term consequences for patients. Outcomes of that nature are not acceptable in healthcare because the ripples will typically spread a lot farther and longer than anticipated.”

Security is not a good to have, it is an absolute requirement.”

 

- Matt Fisher, General Counsel for Carium via Security is Essential for Healthcare post

Protenus recently reported on the recent HHS findings that, combined with our own analysis in the 2023 Breach Barometer, “external threats like hacking impacted the highest volume of patients…health systems have been inundated with investigations of unauthorized access that stem from their own insiders, comprising 93% of those reported.”

Supply Chain Attacks

Organizations are susceptible to supply chain attacks, with 64% reporting that their organizations experienced such attacks. Surprisingly, only 40% consider this cyber threat a concern. On average, organizations endured four supply chain attacks in the past two years. Similar to BEC, only 45% have measures or plans to prevent or respond to a supply chain attack.

Were these survey responses collected prior to the FORTRA and MOVEit breaches that impacted thousands of entities and millions of patients in 2023? Would the responses be the same if the survey were conducted today?

Cloud Compromises

According to the study results, the most frequent attacks in healthcare target the cloud, making it the top cybersecurity threat identified by respondents. 74% of respondents acknowledged their organizations' vulnerability to a cloud compromise, and 63% reported experiencing at least one cloud compromise. 

When selecting a technology vendor, it is important to ask about their specific security practices to ensure appropriate safeguards are in place.

For further insights, including the crucial question of the impact of these types of cybersecurity incidents on patient care, access the full report at ttps://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report

Thanks to DataBreaches.net for help with data analyses for this post!

¹The types of organizations that responded to the survey cover many areas of healthcare, not specific to hospitals or health systems.