Hacking Accounted For Nearly 80% of Healthcare Data Breaches Last Year
In past years, unauthorized disclosures, loss, theft, and improper disposal accounted for more healthcare data breaches than malicious hacking.
Nearly 80 percent of healthcare data breaches reported to the HHS Office for Civil Rights (OCR) in 2022 were attributed to hacking and IT incidents, Fortified Health Security noted in its “2023 Horizon Report,” signifying a 45 percent increase from just five years ago.
What’s more, 70 percent of reported breaches (impacting more than 500 individuals each) affected healthcare providers, with business associates and health plans making up a much smaller portion of the total number of impacted entities. In total, 51.4 million healthcare records were breached in 2022, compared to 49.4 million in 2021.
As previously reported, many of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors, underscoring the need for better third-party risk management. These trends are likely to continue into 2023 and beyond, Fortified Health Security suggested.
“Healthcare organizations must get granular with cybersecurity precautions if they want to stem the tide of breaches,” the report continued.
“Focusing on the basics — strong passwords, multi-factor authentication (MFA), vulnerability management, frequent patching, and managing human risk through continuous training of the entire workforce — will go a long way toward minimizing threats from the inside and outside.”
The report offered five areas for healthcare security teams to prioritize in 2023. First, Fortified Health Security urged organizations to tackle emerging threats by knowing your IP range, managing password strength, and implementing endpoint detection and response solutions.
Next, the report called attention to third-party risk management and stressed the importance of continuous monitoring and re-assessments.
“Third-party risk management (TPRM) shouldn’t be a point-in-time response to a cyber insurance request or a mandate from the C-suite,” the report noted.
“It should be a comprehensive and forward-looking program, integrated into the overall vendor evaluation process as a proactive engagement of identifying risk versus a reactive approach that happens after vendors are onboarded.
In addition, Fortified Health Security encouraged healthcare organizations to implement and continuously monitor multi-factor authentication, leverage available subsidies and grants, and bolster their security training and awareness programs.
The experts predicted an increase in cybersecurity funds for providers in 2023, along with an increase in cyber spending and an uptick in breaches to match.
"Hospitals and health systems faced tremendous pressures, both internally and externally in 2022 — and not just from a cybersecurity perspective, but also in terms of profitability, expenses, and staffing," Dan L. Dodson, CEO of Fortified Health Security said in an accompanying press release.
"We cannot let our guard down, as we anticipate a rise in large-scale breaches this year. The effects of these hacking incidents and breaches on healthcare are detrimental, and to mitigate this, we expect to see an increased investment by stakeholders in new cybersecurity solutions that reduce risk and increase their security posture in 2023."