Getty Images/iStockphoto
Outpatient Facilities Now Top Targets for Healthcare Data Breaches
Cyber criminals are shifting their healthcare data breach targets away from hospitals and onto outpatient facilities and business associates, a new report shows.
Hackers are changing their tactics when it comes to healthcare data breaches in 2021. As hospitals struggled to combat COVID-19 in 2020, cyber criminals added to the chaos by infiltrating networks, threatening to release medical information online, and demanding ransoms from increasingly desperate hospitals.
But in the first half of 2021, outpatient facilities and specialty clinics fell victim to healthcare data breaches nearly as often as hospitals, according to a new report published by Critical Insight. In addition, business associates accounted for 43 percent of all healthcare breaches, which validated a three-year upward trend.
The number of breaches in 2021 was higher than the first six months of last year and any six-month period between 2018 and the first half of 2020, researchers found.
The report examined HHS’s data breach portal to garner valuable insights on the shifting trends in healthcare data breaches. The portal displays all reported healthcare data breaches along with the number of individuals impacted, entity type, and location of the breached information.
HHS breaks down healthcare cybersecurity incidents into five main categories: hacking/IT incident, improper disposal, loss, theft, and unauthorized access/disclosure. Researchers discovered that more than 70 percent of the data breaches reported in the first half of the year were categorized as a hacking/IT incident.
As hospitals adjust their cybersecurity strategies to prepare for the likely event of a cyberattack, hackers have been forced to look elsewhere for targets. As a result, outpatient facilities and business associates should now be on high alert.
In the first half of the year, 141 breaches reported to HHS involved business associates, compared to 44 in the first half of 2018.
“The causes of breaches at third-party vendors can run the gamut, ranging from poor access controls that fail to prevent vendors from seeing restricted data to phishing attacks,” the report explained.
“As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain.”
An increase in hacking/IT incidents led to a 77 percent increase in the number of breaches in the first half of 2021 compared to the first half of 2018.
It is unsurprising that hackers have chosen to aggressively attack the healthcare industry, researchers emphasized. Protected health information (PHI) is valuable in many ways. Hackers can sell it on the dark web, file fraudulent insurance claims, or, most likely, hold it for ransom.
“It does not help that many health organizations use devices that run on operating systems that are out-of-date, and many devices were not designed with cybersecurity in mind,” the report continued.
“However, in an environment that prizes performance and constant availability, replacing these devices is neither convenient nor cheap. The interconnectedness of medical devices creates the potential for a catastrophic security failure.”
Phishing, ransomware, and the exploitation of software vulnerabilities are the most common types of cyberattacks. A few main ransomware groups, such as Conti and Ryuk, are responsible for many of the large-scale cyberattacks.
In May, an FBI Flash Alert warned healthcare industries of Conti’s growing presence and encouraged providers to stay vigilant. Conti claimed responsibility for at least 400 hacking incidents, 290 of which occurred in the US.
Phishing attacks are also an easy way for hackers to hijack networks. One click by an unsuspecting individual can compromise and shut down an entire hospital’s network. Educating employees on what phishing email might look like is crucial to preventing this type of attack.
“The adoption of mobile devices and cloud computing will also continue to bring their own set of security challenges as well, as healthcare organizations strive to maintain visibility and consistent enforcement of security policies while embracing mobility and a hybrid IT environment,” the report noted.
But that does not mean that there is nothing healthcare organizations can do to prevent and mitigate the effects of a cyberattack. Education, cybersecurity investments, and regular system patching are critical to ensuring security.
The report advised healthcare entities to assess third-party risk, regularly review business associate agreements, and implement strict access controls. Considering the growing number of cyber threats, healthcare providers must ensure basic cyber hygiene to avoid becoming the next name on HHS’ data breach portal.