Critical Insight announced the release of a report which analyzes breach data reported to the U.S. Department of Health and Human Services by healthcare organizations.
As we entered the second year of the pandemic in 2021, healthcare systems found themselves under unprecedented and unrelenting stress. Frontline healthcare workers continued to be understaffed and overworked. Hospitals were so overcrowded that they have been forced to postpone routine medical procedures until the latest surge of COVID-19 cases subsides.
Similarly, IT departments at healthcare organizations faced critical skills and staffing shortages as they battled the latest cyberattack variants. Today, those departments continue to be stretched so thin dealing with pandemic-related crises that routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
The effects of braches on healthcare organizations
- Total individuals affected: 2021 hit a high of 45 million individuals affected by healthcare attacks, up from 34 million in 2020. That 45 million number is triple the number of individuals impacted only three years ago. (The number was 14 million in 2018)
- Who is getting breached?: Attacks against health plans jumped nearly 35% from 2020 to 2021. And attacks against business associates, or third-party vendors, increased nearly 18% from 2020 to 2021. Fortunately, attacks against Healthcare Providers (where most breaches are historically reported) declined slightly after peaking in 2020 (down ~4%).
- Most common breach causes: Hacking/IT incidents continue to be the most common cause of breaches with an increase of 10% in 2021. Hacking was also responsible for the vast majority of individual records that were affected by breaches, which means those records were likely sold on the Dark Web.
- One thing we’re watching: When we look at which segments of the healthcare ecosystem had Hacking/IT Incident type breaches, we’re now seeing outpatient/specialty clinics have more Hacking/IT Incident type breaches than hospitals. Outpatient/specialty clinics saw a 41% increase in Hacking/IT Incident type breaches in 2021 compared to 2020.
“Whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care,” said John Delano, Healthcare Cybersecurity Strategist at Critical Insight and VP at Christus Health.
“As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.”