29% of healthcare organizations reported two or more successful ransomware incidents, compared to an overall figure of 38%. This suggests that attacks are not always completely neutralized or that security gaps are not always identified and addressed after the initial incident.
The good news is that more than half (59%) were able to restore encrypted data using backups, compared to 52% overall, and just 22% paid the ransom to recover their data, compared to 34% overall.
Spear-phishing attacks have significant impact
Just 8% of the healthcare organizations surveyed felt underprepared to face a spear-phishing attack. To some extent this confidence is justified, as only 32% of healthcare respondents were hit with such an attack in 2022, compared to 50% overall. However, for those that were affected, the impact of the attack was often severe.
60% of those affected said that computers or other machines had been infected with malware or viruses, compared to 55% overall, while 60% said that confidential or sensitive data had been stolen, compared to 49% overall. 70% reported stolen login credentials or account takeover, compared to 48% overall, and 40% reported direct monetary loss.
It takes healthcare around 3.5 days to detect and remediate an email security incident
The research found that it takes healthcare organizations less time than many other sectors to spot an email security incident — 29 hours, on average, compared to 43 overall — but it was near the middle of the field when it came to responding to and remediating the incident — taking 51 hours on average, compared to 56 overall.
According to respondents, the biggest obstacles to fast response and mitigation were a lack of automation, cited by 40%, compared to an all industry total of 38%; and a lack of budget, cited by 34%, compared to 28% overall.
Securing healthcare
Email-based cyberattacks have been around for decades, yet they remain widespread, ever-evolving — and persistently successful.
Healthcare organizations need to have robust email security in place, with strong authentication controls — multifactor authentication at the very least but ideally moving toward Zero Trust measures — as well as restricted access rights, automated incident response, and AI-based threat detection and monitoring. All of which should be accompanied by continuous employee education and awareness training so that people know how to spot and report a suspicious message.
Ideally, these email defenses should form part of an integrated security platform that provides the IT team with full visibility of the entire IT environment and the ability to detect, investigate, and respond to incidents or patterns of abnormal behavior that could indicate unwanted intruders.
The survey was conducted for Barracuda by independent research firm Vanson Bourne and questioned IT professionals from frontline to the most senior roles in companies with 100 to 2,500 employees, across a range of industries in the U.S. and EMEA and APAC countries. The sample included 62 healthcare organizations.