Proofpoint Press Release on Cybersecurity Survey does a Disservice to Health Care Providers

Sep 23, 2022 - 01:47 PM by
John Riggi, National Advisor for Cybersecurity and Risk, AHA
AHAH STAT logo

A survey released in early September from Proofpoint, Inc., and the Ponemon Institute, on cybersecurity in health care raises important issues but appears to have a number of significant limitations. First, it is not a study or report of medical data. It is a survey of health care IT personnel.

Because it is not a study of patient outcomes, the survey does not appear sufficient to support the headline in Proofpoint's press release that "Cyberattacks Cause More Than Twenty Percent of Impacted Healthcare Organizations to Experience Increased Mortality Rates." While cyberattacks on hospitals and health systems are certainly a significant risk – as they are in any field or business – because they can disrupt care delivery, there appears to be no reliable empirical evidence that demonstrates these attacks are the cause of increased mortality rates.

Another questionable assertion by Proofpoint is that "cybersecurity remains a low priority" in the health care sector. I can assure you the hospital leaders I talk to each day view cyber risk as a significant risk to their organization. They routinely devote significant resources to shore up cyber technical defenses, increase cybersecurity budgets, and train all staff to spot phishing emails that might contain malware, or worse, ransomware. Hospitals also use layers of technical defenses to deflect and detect network intrusions such as multi-factor authentication, network segmentation, endpoint protection tools and enhanced backup and recovery capabilities and procedures. Thus, to imply that all hospitals that become victims of a cyberattack are presumptively negligent in some manner, is simply inaccurate. It also fails to reflect the reality that no organization is completely immune from cyberattacks, regardless of the number of resources devoted to cybersecurity. This includes the federal government and cybersecurity firms.

I routinely receive calls to conduct C-suite cyber tabletop exercises and to provide guidance on developing cyber incident response plans and downtime procedures, which help prepare hospitals to get through the digital darkness should a ransomware attack happen. The AHA also has engaged in more robust cyber threat information sharing relationships with the FBI and other agencies in order to assist the hospital field with increasing the defenses needed to better fend off cyberattacks.

Yet even with all that, there are inherent limitations that affect every field or business. Any winning solution to this national security threat also must include combined and coordinated actions by the U.S. government and our allies. The U.S. government should continue on its path of utilizing all elements of national power to increase risk and consequences for these foreign-based cyber adversaries, who threaten American citizens’ data and pose a direct threat to U.S. public health and safety.

That’s why although the findings of the Proofpoint and Ponemon survey may warrant further review, it does not appropriately reflect the importance most hospitals place on cybersecurity. And a headline that fails to reflect the importance hospitals place on cybersecurity does a disservice to our nation’s hospitals and our front-line heroes who sacrificed so much during the pandemic and are continually working to deliver quality care to patients, protect their data and serve their communities.

Related News Articles

Perspective
Protecting Patients and Hospitals from Cyberattacks
Public
This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “…
Headline
HSCC launches toolkit to strengthen essential health care services and prevent cyberattacks
The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations…
Headline
Urgent action recommended on critical Oracle vulnerability
The AHA Oct. 6 released a Cybersecurity Advisory urging immediate action against a critical Oracle E-Business Suite vulnerability that is remotely exploitable…
Headline
AHA launches revamped Cybersecurity and Risk Advisory webpage
The AHA has launched an enhanced Cybersecurity and Risk webpage designed to help health care organizations strengthen their defenses against emerging cyber and…
Headline
Notice warns of new LockBit 5.0 ransomware variant
A Health-ISAC (Information Sharing and Analysis Center) bulletin released Oct. 1 warns of a recently released LockBit 5.0 ransomware variant that poses a…
Headline
AHA podcast: The Texas Model for Cyber Resilience in Health Care 
Fernando Martinez, Ph.D., chief digital officer at the Texas Hospital Association, shares how Texas and the THA are building regional resilience through cyber…