A survey of 653 health care IT and security practitioners published today found 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months.

The survey, conducted by the Ponemon Institute on behalf of Proofpoint, also estimated that the average total cost of a cyberattack on health care organizations is $4.99 million.

Two-thirds of respondents (66%) reported disruption to patient care, including poor patient outcomes due to delays in procedures and tests (57%), an increase in medical procedure complications (50%) and increased patient mortality rates (23%).

Ryan Witt, chair of the Healthcare Customer Advisory Board at Proofpoint, said cyberattacks are now seen as a bigger issue within health care organizations because they directly impact primary care much more than, for example, ancillary billing systems.

The most common types of cyberattacks seen by health care providers involved cloud compromise, ransomware, supply chain and business email compromise (BEC). More than half (54%) of organizations experienced five BEC-type incidents on average, followed by ransomware (59%). BEC attacks are also most likely to correlate to poor outcomes due to delayed procedures (71%), increased complications from procedures (56%) and lengthier stays (55%). Unfortunately, only 45% of respondents take steps to prevent and respond to this type of attack, the survey found.

Overall, nearly two-thirds (64%) experienced a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care.

In general, cybercriminals have become much more adept at targeting the credentials of key health care personnel through which they can gain access to the most critical systems, noted Witt.

On the plus side, it does appear that health care organizations are slightly less concerned today about ransomware attacks than they are with other tactics and techniques. The survey ranked cloud attacks (74%), supply chain compromises (63%) and BEC attacks (62%) as most concerning, followed by ransomware (48%).

Nevertheless, more than half (54%) of respondents said their organization suffered a ransomware attack in 2022. Only 40% of health care organizations opted to make a ransomware payment, the survey found. However, the average total cost for the highest ransom payment spiked to $995,450. Further, 68% said the ransomware attack resulted in a disruption to patient care, with 59% citing delays in procedures and tests that resulted in poor outcomes.

All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential health care data within the past two years, with 43% noting that loss of data impacted patient care. Impacts to patient care include increased mortality rates (46%) and increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause identified by 32% of respondents.

Not surprisingly, survey respondents identified a lack of cybersecurity expertise (58%) and insufficient staffing (50%) as the two biggest challenges they face. Most health care providers are relatively small to midsized organizations that devote most of their resources to patient care, noted Witt.

Given the limited resources available, it’s not clear what measures health care organizations will use to improve cybersecurity. But the more these attacks affect primary care, the more pressing this issue will become in the months and years ahead.