Proofpoint Press Release on Cybersecurity Survey does a Disservice to Health Care Providers

A survey released in early September from Proofpoint, Inc., and the Ponemon Institute, on cybersecurity in health care raises important issues but appears to have a number of significant limitations. First, it is not a study or report of medical data. It is a survey of health care IT personnel.

Because it is not a study of patient outcomes, the survey does not appear sufficient to support the headline in Proofpoint's press release that "Cyberattacks Cause More Than Twenty Percent of Impacted Healthcare Organizations to Experience Increased Mortality Rates." While cyberattacks on hospitals and health systems are certainly a significant risk – as they are in any field or business – because they can disrupt care delivery, there appears to be no reliable empirical evidence that demonstrates these attacks are the cause of increased mortality rates.

Another questionable assertion by Proofpoint is that "cybersecurity remains a low priority" in the health care sector. I can assure you the hospital leaders I talk to each day view cyber risk as a significant risk to their organization. They routinely devote significant resources to shore up cyber technical defenses, increase cybersecurity budgets, and train all staff to spot phishing emails that might contain malware, or worse, ransomware. Hospitals also use layers of technical defenses to deflect and detect network intrusions such as multi-factor authentication, network segmentation, endpoint protection tools and enhanced backup and recovery capabilities and procedures. Thus, to imply that all hospitals that become victims of a cyberattack are presumptively negligent in some manner, is simply inaccurate. It also fails to reflect the reality that no organization is completely immune from cyberattacks, regardless of the number of resources devoted to cybersecurity. This includes the federal government and cybersecurity firms.

I routinely receive calls to conduct C-suite cyber tabletop exercises and to provide guidance on developing cyber incident response plans and downtime procedures, which help prepare hospitals to get through the digital darkness should a ransomware attack happen. The AHA also has engaged in more robust cyber threat information sharing relationships with the FBI and other agencies in order to assist the hospital field with increasing the defenses needed to better fend off cyberattacks.

Yet even with all that, there are inherent limitations that affect every field or business. Any winning solution to this national security threat also must include combined and coordinated actions by the U.S. government and our allies. The U.S. government should continue on its path of utilizing all elements of national power to increase risk and consequences for these foreign-based cyber adversaries, who threaten American citizens’ data and pose a direct threat to U.S. public health and safety.

That’s why although the findings of the Proofpoint and Ponemon survey may warrant further review, it does not appropriately reflect the importance most hospitals place on cybersecurity. And a headline that fails to reflect the importance hospitals place on cybersecurity does a disservice to our nation’s hospitals and our front-line heroes who sacrificed so much during the pandemic and are continually working to deliver quality care to patients, protect their data and serve their communities.