A survey released in early September from Proofpoint, Inc., and the Ponemon Institute, on cybersecurity in health care raises important issues but appears to have a number of significant limitations. First, it is not a study or report of medical data. It is a survey of health care IT personnel.

Because it is not a study of patient outcomes, the survey does not appear sufficient to support the headline in Proofpoint's press release that "Cyberattacks Cause More Than Twenty Percent of Impacted Healthcare Organizations to Experience Increased Mortality Rates." While cyberattacks on hospitals and health systems are certainly a significant risk – as they are in any field or business – because they can disrupt care delivery, there appears to be no reliable empirical evidence that demonstrates these attacks are the cause of increased mortality rates.

Another questionable assertion by Proofpoint is that "cybersecurity remains a low priority" in the health care sector. I can assure you the hospital leaders I talk to each day view cyber risk as a significant risk to their organization. They routinely devote significant resources to shore up cyber technical defenses, increase cybersecurity budgets, and train all staff to spot phishing emails that might contain malware, or worse, ransomware. Hospitals also use layers of technical defenses to deflect and detect network intrusions such as multi-factor authentication, network segmentation, endpoint protection tools and enhanced backup and recovery capabilities and procedures. Thus, to imply that all hospitals that become victims of a cyberattack are presumptively negligent in some manner, is simply inaccurate. It also fails to reflect the reality that no organization is completely immune from cyberattacks, regardless of the number of resources devoted to cybersecurity. This includes the federal government and cybersecurity firms.

I routinely receive calls to conduct C-suite cyber tabletop exercises and to provide guidance on developing cyber incident response plans and downtime procedures, which help prepare hospitals to get through the digital darkness should a ransomware attack happen. The AHA also has engaged in more robust cyber threat information sharing relationships with the FBI and other agencies in order to assist the hospital field with increasing the defenses needed to better fend off cyberattacks.

Yet even with all that, there are inherent limitations that affect every field or business. Any winning solution to this national security threat also must include combined and coordinated actions by the U.S. government and our allies. The U.S. government should continue on its path of utilizing all elements of national power to increase risk and consequences for these foreign-based cyber adversaries, who threaten American citizens’ data and pose a direct threat to U.S. public health and safety.

That’s why although the findings of the Proofpoint and Ponemon survey may warrant further review, it does not appropriately reflect the importance most hospitals place on cybersecurity. And a headline that fails to reflect the importance hospitals place on cybersecurity does a disservice to our nation’s hospitals and our front-line heroes who sacrificed so much during the pandemic and are continually working to deliver quality care to patients, protect their data and serve their communities.

Related News Articles

Headline
The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The…
Headline
The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S.…
Headline
The FBI March 26 advised that, after extensive investigation and intelligence review, they have not identified any specific credible threat targeted against…
Headline
A ChatGPT vulnerability identified last year is being used by cyberthreat actors to attack security flaws in artificial intelligence systems, according to a…
Headline
The U.S. Attorney’s Office for the District of New Jersey March 13 announced charges for Rostislav Panev, a dual Russian and Israeli national, for his alleged…
Headline
A joint advisory released March 12 by the FBI, Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center…