Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy, surveyed 579 IT and IT security professionals at healthcare delivery organizations (HDOs) to understand how ransomware continues to impact patient care, and to determine the value of cybersecurity benchmarking to reduce cyber threats such as ransomware.

The independent research report, titled The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarkingpublished in January 2023 from a survey conducted in Q4 2022, was commissioned by Censinet, aprovider of healthcare risk management solutions.

Ransomware and Healthcare

This 2023 report provides an update to the industry’s first study on the impact of ransomware on patient safety, titled The Impact of Ransomware on Healthcare During COVID-19 and Beyond, published in September 2021 and also commissioned by Censinet. That study demonstrated a correlation between ransomware and adverse impacts to patient care, including increased mortality rates.

In this updated report, over half of respondents indicated that one or more ransomware attacks experienced by their organization resulted in a disruption to patient care. While the most prevalent impact identified was an increase in patients transferred or diverted to other facilities, over one-in-five respondents indicated that ransomware attacks had an adverse impact on patient mortality rates—nearly the same response rate as in the 2021 study. However, significantly more respondents this year indicated that ransomware attacks increased complications from medical procedures—up to 45% of respondents compared to 36% in 2021.

“Our findings indicate that Hospital IT/Security personnel continue to believe ransomware has a broad and adverse impact on patient care,” says Larry Ponemon, PhD, chairman and founder of the Ponemon Institute. “With ransomware growing exponentially and most organizations under constant threat, this report also explores how peer benchmarking improves an HDO’s cybersecurity program effectiveness, including its decision-making, hiring, and resource allocation.”

The study also explored the importance of cyber programs and initiatives such as peer benchmarking and third-party vendor risk management for determining optimal investment levels and resource allocation required to reduce the risk of a ransomware attack and other cyber threats. The report found that:

  • Benchmarking is very valuable in demonstrating cybersecurity program effectiveness, including cybersecurity framework coverage and compliance.
  • Benchmarking is important to making the business case for hiring cyber staff and helps guide tool and technology purchasing for the cybersecurity program.
  • Benchmarking is important when establishing cybersecurity program goals and enables better, more data-driven decision-making
  • Benchmarking is helpful in responding to, and recovering from, ransomware attacks according to a majority of respondents.

“The findings in this year’s Ponemon report are, unfortunately, not surprising as ransomware continues to shut down hospital operations and disrupt care at an alarming rate,” says Ed Gaudet, CEO and founder of Censinet. “With patient safety in jeopardy and ‘asymmetric warfare’ no longer hyperbole to describe the situation, this report highlights the continued threats while introducing new approaches to creating rigorous, robust, and continuous cyber programs that protect patients.”