Despite the increasing attention on cyberattacks involving hospitals and health systems nationwide, many such incidents remain unreported. According to a recent survey by cybersecurity company VikingCloud, some cybersecurity professionals refrain from disclosing breaches for fear of losing their jobs.
The VikingCloud survey polled 168 cybersecurity professionals in the United States and the United Kingdom, revealing that 40% of cybersecurity professionals across all industries have not reported a cyberattack due to job security concerns. In the healthcare sector, 30% of respondents admitted not reporting a breach for the same reason.
Kevin Pierce, Chief Product Officer of VikingCloud, noted that the high number of professionals unwilling to report attacks was surprising. “It was a surprise response for us, too,” Pierce said, according to Chief Healthcare Executive. “We didn't know what the answer would be. But it was one that jumped out, jumped out at everybody that I've talked to.”
Pierce is uncertain why so many workers fear job loss over-reporting breaches, especially given the healthcare sector’s ongoing struggle to recruit and retain cybersecurity professionals, who often command higher salaries in other industries. “We've got a lot of open positions, people we know are not filling those positions quickly,” Pierce said.
False positives in cybersecurity defenses might contribute to this reluctance. More than half (59%) of healthcare cybersecurity professionals reported spending over four hours per week dealing with false positives, potentially making them wary of reporting potential breaches.
Regardless of the reasons, Pierce said that the reluctance to report breaches means more cyber incidents are happening than are being disclosed. Additionally, two-thirds (66%) of healthcare cybersecurity professionals doubted their organizations could comply with Security & Exchange Commission requirements to disclose a cybersecurity incident within four business days.
Pierce emphasized that hospitals and other providers must assure employees they won’t be penalized for reporting cyberattacks and breaches. “Healthcare and others have to have a culture where employees feel they can speak up,” he said.
Healthcare systems must stress the importance of reporting breaches to protect the organization and its patients, Pierce added, especially with potential regulatory requirements for cyberattack notifications looming.
The survey also highlighted vulnerabilities within healthcare organizations to cyberattacks. Nearly half (44%) of healthcare cybersecurity workers said their organizations weren’t sufficiently prepared for ransomware attacks targeting third parties. Industry analysts noted that many hospitals have suffered breaches due to attacks aimed at vendors or other third parties.
Healthcare organizations should regularly assess their vendors’ cybersecurity capabilities and ability to handle new threats, Pierce advised. “Hospitals and other health providers should do a risk assessment not only on their own organization but on their supply chain, making that cyber risk assessment a mandatory piece of doing business. I think we're going to see that become more prevalent.”
According to the VikingCloud survey, more than half (58%) of healthcare cybersecurity professionals felt their teams were behind the capabilities of cybercriminals and ransomware groups. Additionally, a majority (54%) said they couldn’t defend against AI-fueled cyberattacks.
Pierce predicted an increase in cyberattacks on healthcare organizations in the near future, given the growing digital interconnectedness of hospitals and health providers. “In healthcare, the attack surface is just exploding,” he said.
Healthcare executives and boards need to prioritize cybersecurity as a system-wide issue, not just an IT concern, Pierce stressed. “It's a problem for everyone in the organization,” he said. “It’s a problem for your customers. If I'm in retail, it’s a problem for my customers who are coming in and trying to buy something. If I'm in healthcare, it's my patients.”
The Ascension health system recently suffered a ransomware attack that continues to disrupt patient care. Some hospitals have diverted ambulances, and critical systems, including electronic health records, have been taken offline. Ascension Hospitals warned patients to expect longer waits at hospitals and clinics.
Hospitals and clinics nationwide have been affected by a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group that handles billing, claim processing, and prescriptions for many providers. Most hospitals reported financial losses due to the Change Healthcare attack and said it affected patient care. UnitedHealth has stated that the breach may have exposed the records of many Americans, although the exact number remains unclear.
Federal officials are investigating the Change Healthcare cyberattack.
According to the U.S. Department of Health and Human Services, in 2023, more than 134 million people were affected by large breaches reported to the government, an increase of 141% from 2022. This equates to more than one in three Americans.