Healthcare leaders say it can cost more than $4 million for an organization to recover from a single cyberattack, according to a new survey.
A poll of more than 600 healthcare information-technology and security professionals found 89% of organizations surveyed had experienced at least one cyberattack in the past year. Within that group, organizations on average had 43 attempted cyberattacks during that time period, according to the poll published Thursday by research firm Ponemon.
The survey was sponsored by cybersecurity company Proofpoint.
The average total cost of each organization's most expensive cyberattack was $4.4 million, according to the survey. The total cost included the average cost of lost productivity from IT downtime, $1.1 million; disruption to normal operations, $1 million; damage or theft of IT assets, $930,100; and response and technical support, $708,600.
Downtime can cost large hospitals roughly $21,500 per hour, according to a separate survey of information security and biomedical staff released last year by health technology company Philips and cybersecurity company CyberMDX. Respondents from midsize hospitals reported downtime cost $45,700 per hour.
Other research has found the costs to be much higher. A report from IBM released in July estimated the average total cost of a data breach in healthcare is $10.1 million, including costs related to detection, response and lost business.
Beyond cutting off access to medical data, cyberattacks like ransomware can also pose issues for patient safety if clinicians lose access to electronic health records and other critical IT systems, forcing clinicians onto paper charts. Ransomware attacks can spur weeks or even months of IT downtime at hospitals, during which hospitals might have to delay or divert patient care.
That’s led groups like the American Hospital Association to say ransomware attacks against healthcare organizations are “threat-to-life” crimes, rather than economic crimes.
Nearly two-thirds of healthcare IT and security workers indicated ransomware attacks led to delays in procedures or tests for patients, according to Proofpoint’s report. Roughly half of respondents said ransomware resulted in an increase in complications during medical procedures. And 24% of respondents said they noticed an increase in mortality rates that were tied to ransomware attacks.
Top cybersecurity challenges faced by healthcare organizations include a lack of in-house expertise, a lack of collaboration with other areas of their organization, insufficient staffing, insufficient budget, and cybersecurity not being considered an organizational priority, according to respondents.