New research proves a clear link between health care cyberattacks and patient mortality rates exists, highlighting the importance of adequate industrywide cybersecurity. While security measures previously only protected people’s privacy and sensitive data, they might now be the difference between life and death.
Cyberattacks Correlate with Increased Patient Mortality
A recent study of more than 600 IT professionals working at over 100 medical facilities revealed a link between health care cyberattacks and increased mortality rates. A large percentage of respondents reported cybersecurity incidents often worsened patient outcomes.
The possible connection between health care cyberattacks and patient mortality has been an ongoing discussion for years. Although previous studies on the subject exist, their scope was much narrower. This new research finally proves they correlate.
This 2023 study reveals the four most common health care cyberattack types — business email compromise (BEC), supply chain attack, ransomware and cloud compromise — increase delays, average visit length, procedure complications and patient mortality rates.
Of the 88% of health care organizations that experienced cyberattacks in 2023, roughly 20%-30% reported more fatalities as a result. IT professionals stated mortality rates increased by 28% for ransomware, 12% for BECs, 21% for supply chain attacks and 29% for cloud compromises. These substantial increases highlight the gaps in their cybersecurity.
How Cyberattacks Increase Patient Mortality
Truthfully, few patients have died as a direct result of a cyberattack. However, this new study proves the two variables correlate. This is because downed systems, inaccessible patient data and service disruptions incidentally harm people. Diminished quality of care almost always leads to poor outcomes.
Cyberattacks directly cause 57% of health care facilities to experience worse patient outcomes. Delays, disruptions, unplanned transfers, and cancellations led to increased complications and poor quality of care. Wasted hours and inaccessible systems have a ripple effect, impacting every service, from laboratory testing to medication dispensing.
Although fatalities caused by health care cyberattacks are uncommon, such cases have made national news before. In 2021, one mother sued a hospital after ransomware-related disruptions allegedly caused her baby to suffer brain damage during delivery and later pass away. These situations have significant financial, legal and security implications.
Every Health Care Facility Needs Adequate Cybersecurity
The cybercriminals behind health care cyberattacks accept heightened patient deaths as collateral damage because it increases the odds of their success. After all, a hospital is far more likely to pay an outrageous ransom to regain system access when people’s lives are at stake.
Experts believe the growing Internet of Things (IoT) will simplify distributed denial-of-service attacks (DDoS) attacks. Some also predict a ransomware incident will occur every two seconds by 2031. As the severity of cyberattacks increases, health care IT professionals will have to contend with the fact their security measures are one of the few things protecting patients.
Undoubtedly, cyberattacks will grow more severe than they have been for years. For instance, DDoS attacks now last 50 hours on average, up from their mere 30-minute duration in 2021. If health care organizations plan on protecting patients, they must address these growing concerns.
Whether organizations increase cybersecurity funding or expand their endpoint protections, proactive effort is critical. After all, research proves these actions are just as crucial to patients’ well-being as safety equipment or emergency services. A facility’s digital security measures will be its best defence if a cyberattack occurs.
Health Care Cybersecurity Is Now About Saving Lives
For too long, cybersecurity efforts have focused on indirect rather than direct patient outcomes. Instead of preventing critical system failure to safeguard people’s well-being, IT teams have prioritized securing data and privacy. While information security is essential, the new research linking cyberattacks to heightened mortality rates demands action.
Although compliance with regulations like the Health Insurance Portability and Accountability Act is critical, neglecting this newfound link will only lead to higher mortality rates as the frequency of cyberattacks increases. Health care cybersecurity is no longer just about patient privacy and data security — it’s now about saving people’s lives.
Even when a cybersecurity incident doesn’t result in death, it still risks patients’ well-being. Consider the situation where a nurse gave a 3-year-old boy five times the amount of medicine she was supposed to because ransomware prevented the computer from calculating the dosage for her.
Patient Health Depends on Proper Health Care Cybersecurity
Health care facilities must address the most common industry risks. While the recent study named supply chain attacks, BEC ransomware and cloud compromises as the most significant dangers, human error is often the source of most cybersecurity incidents. In fact, 30% of chief information security officers ranked insider threats as the top threat of 2023.
Adequate cybersecurity training, privilege limitation and digital monitoring are essential for reducing insider threats. Even though the IT team can’t account for every possible mistake a person can make, they can segment networks and make data backups to minimize the negative impact human error can have.
Safeguarding critical systems, having backups available and preparing an adequate incident response is crucial. While health care facilities already undertake a significant workload to maintain compliance and protect privacy, they must understand how critical cybersecurity is for patients’ safety.
Organizations Must Prioritize Cybersecurity
Previously, health care organizations have viewed cybersecurity as essential because it protects patient privacy and safeguards sensitive data against leaks and breaches. However, it’s now about saving people’s lives — it has become absolutely critical.
Much like a medical professional needs safety equipment to perform surgery, health care facilities need security measures to protect patients properly. Since the link between cyberattacks and mortality rates is proven, prioritizing cybersecurity is in the industry’s best interest.
By Zac Amos, rehack.com