Some cyberattacks aren’t being reported, because staff say they are worried they’ll be fired
Even as more cyberattacks involving hospitals and health systems have gained attention nationwide, cybersecurity professionals say some attacks aren’t coming to light.
In fact, some cybersecurity professionals say that they haven’t reported some breaches for fear of losing their jobs, according to a recent survey by VikingCloud, a cybersecurity company.
Four out of 10 cybersecurity pros in all industries said they have not disclosed a cyberattack because they feared they would be fired, according to the VikingCloud survey. VikingCloud surveyed 168 cybersecurity professionals in the United States and the United Kingdom.
In the healthcare sector, 30% of cybersecurity professionals said they didn’t report a breach because they were worried they’d lose their job.
Kevin Pierce, chief product officer of VikingCloud, said that many have been taken aback by a significant number of cybersecurity professionals refusing to report attacks, or at least expressing reluctance.
“It was a surprise response for us, too,” Pierce tells Chief Healthcare Executive®.
“We didn’t know what the answer would be. But it was one that jumped out, jumped out everybody that I’ve talked to.”
Pierce says he isn’t sure why so many workers are worried about losing their jobs for reporting a breach. The healthcare sector in particular has struggled to recruit and retain cybersecurity professionals, who can earn more in other industries. So good cybersecurity staffers working in healthcare likely have some job security.
“We’ve got a lot of open positions, people we know are not filling those positions quickly,” Pierce says.
Many cybersecurity professionals are dealing with a lot of “false positives” in their defenses, and Pierce speculates that could be a reason some staffers are leery of disclosing a possible breach. Among the healthcare pros, more than half (59%) of respondents said they spent more than four hours per week on dealing with false positives.
Regardless of the motivations, with at least some staffers keeping quiet about breaches, Pierce says, “What that means is that there’s more happening than we know about.”
Two-thirds (66%) of cybersecurity pros in healthcare also said they didn’t think their organizations would be able to comply with Security & Exchange Commission requirements to disclose a cybersecurity incident within four business days.
Hospitals and other providers need to send a clear message to employees that they won’t be penalized for reporting cyberattacks and breaches, Pierce says. If people are afraid to report a cybersecurity incident, then the organization has a problem with its culture.
“Healthcare and others have to have a culture where employees feel that they can speak up,” Pierce says.
Health systems need to make it clear that breaches and attacks have to be reported to protect the organization and its patients, Pierce says. And he notes the prospect of more regulatory requirements about notification of cyberattacks.
The survey also revealed some troubling assessments of the vulnerabilities of healthcare providers to cyberattacks.
Nearly half of healthcare cybersecurity workers (44%) said that their organizations weren’t sufficiently prepared for ransomware attacks against a third party. Many hospitals have suffered breaches due to attacks aimed at vendors or other third parties, industry analysts say.
Healthcare organizations should be in regular contact with their vendors and partners to assess their cybersecurity and gauge their ability to deal with new threats, Pierce says.
Hospitals and other health providers should do “a risk assessment not only on your own organization, but on a supply chain, and having that cyber risk assessment a mandatory piece of doing business. I think we’re going to see that become more prevalent.”
More than half of healthcare cybersecurity professionals (58%) said their own teams were behind the capabilities of cybercriminals and ransomware groups, according to the VikingCloud survey.
In addition, a majority (54%) of healthcare cybersecurity staffers said they weren’t equipped to defend against AI-fueled cyberattacks.
Pierce projects that healthcare organizations are likely to see more cyberattacks in the near future. Hospitals and health providers are more enticing since they are more connected than ever to other partners digitally.
“In healthcare, the attack surface is just exploding,” Pierce says.
Healthcare executives and boards need to ensure that cybersecurity is a system-wide priority, and Pierce notes that it can’t simply be relegated to information technology or cybersecurity staff.
“It’s a problem for everyone in the organization,” Pierce says. “It’s a problem for your customers. If I’m in retail, it’s a problem for my customers who are coming in and trying to buy something. If I’m in healthcare, it’s my patients.”
The Ascension health system suffered a ransomware attack earlier this month that continues to hamper patient care. Some hospitals have diverted ambulances to other facilities. Key systems, including electronic health records, have been taken offline. While Ascension hospitals and clinics are open, patients have been told to expect longer waits.
Hospitals and clinics around the country have been affected by the Change Healthcare ransomware attack. A subsidiary of UnitedHealth Group, Change Healthcare handles billing, claim processing and prescriptions for many providers nationwide. Most hospitals have said they’ve suffered financial losses due to the Change Healthcare attack, and they said it has affected patient care. UnitedHealth has said it’s unclear how many patient records have been exposed but said the breach may have affected “a substantial portion of people in America.”
Federal officials have said they are investigating the Change Healthcare cyberattack.
In 2023, the number of large breaches reported to the government affected more than 134 million people, more than 1 in 3 Americans, an increase of 141% from 2022, according to the U.S. Department of Health and Human Services.