More than a third of health care organizations aren’t prepared for cyberattacks

Cyberattacks and data breaches in health care are on the rise, and more than one in four ransomware attacks in health care impact patient care, according to a survey from advisory firm Software Advice. 

About half of health care organizations that experienced a ransomware attack said the breach impacted patient data — and 34% said they failed to recover the data after the attack. 

Cyberattacks can result in pricey downtime and delay critical procedures, the report said, but only 63% of companies report having a cybersecurity response plan in place. 

Over 30% of health care organizations experienced a cyberattack in the last three years, according to the survey. Over the past five years, there has been a 256% increase in large breaches reported to the HHS Office for Civil Rights involving hacking.  

Health care holds an outsized amount of sensitive data compared to other industries — the vast majority of which is digital, according to the survey. However, some health care operators have failed to adequately encrypt such data at rest or in transit, making the industry a lucrative target for hackers. 

The increase in breaches, in addition to several recent high-profile attacks, has garnered attention from federal regulators and lawmakers. This year, the HHS released voluntary cybersecurity goals for the sector and is looking to propose enforceable standards. 

Experts said that health systems need to do more to prepare for potential cyberattacks, like conducting risk analyses. Thirty-seven percent of health care organizations did not have a cyberattack contingency plan in place, according to the survey, despite half of organizations having experienced an attack. 

The Software Advice report, which surveyed almost 300 respondents working at health care organizations in March, also found that 55% of medical practices allowed employees more access to data than necessary. 

“Human error results in nearly the same amount of data breaches as targeted, malicious attacks against data security,” the report said.