Most Patients Unaware of the Magnitude Healthcare Ransomware Attacks

November 10, 2021 - Over half of surveyed IT professionals said that their organization has been hit by a healthcare ransomware attack. But 61 percent of surveyed potential patients said that they had not heard of any cyberattacks in the healthcare industry in the last 24 months, new research conducted by Censuswide on behalf of Armis found.

The survey, which included responses from 2,000 potential patients and 400 healthcare IT professionals, revealed an extreme disconnect between patient perceptions of ransomware risks and the significant threat that ransomware actually poses on the healthcare sector.

Ransomware attacks have increased in volume and severity in the healthcare sector over the past few years, and can result in EHR downtime, ambulance diversions, and appointment cancellations. In some rare cases, patient deaths have been directly attributed to ransomware attacks.

Over 80 percent of surveyed IT professionals agreed that they have seen increased cyber risk over the past 12 months. Ransomware gangs are becoming increasingly sophisticated, and startling gaps in medical device security have exposed additional vulnerabilities and expanded the attack surface and scope.

A third of potential patient respondents said that they have been the victim of a healthcare cyberattack, and half of patients said that they would change hospitals if their healthcare organization was hit by a ransomware attack.

Patient perceptions on data security varied greatly. While over 65 percent of potential patients reported believing that their healthcare provider was doing enough to protect their personal information, a third of respondents said that they trust their best friends more than their healthcare providers with sensitive health information.

But considering the current threat landscape, it is more likely than not that a healthcare organization has faced ransomware or other security threats. The disconnect between patient perceptions and insight from IT professionals shows that the majority of patients may not understand the magnitude of healthcare cyber threats.

The Armis research found that IT professionals are most concerned about data breaches resulting in the loss of confidential patient information. Half of respondents said that security risks in a hospital’s infrastructure topped their list of concerns, followed by the risk of putting patient information into an online portal and staying in a hospital room with several connected medical devices.

IT professionals expressed significant concern about the security of HVAC and electrical systems, imaging machines, medication dispensing equipment, check-in kiosks, and vital sign monitoring equipment. Despite these concerns, 95 percent of surveyed IT professionals reported believing that their organization’s connected devices were patched with the latest software.

Three-quarters of IT professionals said that recent cyberattacks have had a strong influence on cybersecurity decision-making at their organizations, and just over half of respondents believed that their organization was allocating more than enough funds to secure its IT systems.

Despite these improvements, over 60 percent of respondents said that organization has not yet submitted a cyber insurance claim, despite the increase in attacks across the industry. As the attack surface and scope continues to expand, healthcare organizations must ensure that they have implemented the proper safeguards to mitigate risk.