70% of healthcare cyberattacks result in delayed patient care, report finds

Last year, 92% of all healthcare organizations—systems, hospitals and provider groups—were targeted by a cyberattack, according to a new report from vendor Fortified Health Security. Further, 70% of those that reported an incident said patient care was impacted in some way, signaling that even an unsuccessful data breach can result in negative outcomes.

To better understand the landscape, Fortified deployed criteria laid out in the NIST Cybersecurity Framework—a voluntary set of guidelines designed to help healthcare entities protect their networks and data—to see how many groups are adhering to the recommendations.

According to the analysis, while healthcare organizations have made strides in improving their response plans and conducting regular risk assessments to measure their defenses, other areas need improvement—but legacy technology may be standing in the way. 

“While cybersecurity investments are gaining more executive-level attention in the budget, funding often favors new technology over maintaining legacy systems. As a result, many organizations are left cobbling together outdated platforms on aging hardware. Some now recognize that decommissioning obsolete systems may be safer than trying to keep them running,” Fortified wrote in the report. 

However, maintenance issues related to legacy systems, while complicated, ranked third on the company’s list of vulnerabilities. According to its experts, the lack of risk management strategies at healthcare organizations is leading to cyberattacks, including failure to monitor the supply chain and adequately train staff to identify potential threats. 

The NIST Cybersecurity Framework outlines an approach to risk management, which organizations can follow to maximize network integrity. However, many are still not following it, opting to develop their own security standards. 

The lack of a uniform standard for how much risk should be tolerated means that some organizations remain more vulnerable than others. Fortified said many of its clients claim it’s unclear who is responsible for developing and maintaining risk thresholds.

“Most organizations still lack a defined, unified approach to risk management. Risk tolerances wildly vary, and because of that, responsibility for managing that risk is often unclear,” the company stated.

The inventory imperative 

As a bright spot, Fortified added that an increasing number of healthcare organizations are “using risk insights to reject vendors with poor scores,” meaning that purchasing decisions are prioritizing security, even if firm policies are not in place.

The company emphasized the need for healthcare organizations to inventory everything—including analyzing which hospital technologies contain sensitive data valuable to criminals, and identifying devices or systems that could be compromised to access broader networks.

“Without a complete and up-to-date inventory, organizations lack a clear understanding of what they protect, making effective risk management nearly impossible. In many cases, producing current-state inventories cannot be done easily, particularly when clinical assets are tracked separately by BioMed teams,” the company wrote.