Large-scale breaches overshadow decline in number of healthcare data incidents

While H1 2023 saw an encouraging decrease in the overall number of data breaches impacting healthcare organizations, it was overshadowed by large-scale breaches resulting in a significant increase in the number of individuals affected, which reached record levels, according to Critical Insight.

Notably, the report revealed a decrease in total breaches but an increase in the number of individuals affected; the focus of attacks on the supply chain and third-party associates; and, particularly noteworthy, the shift in some attackers’ strategies from encryption to extortion.

“The results of this analysis support the hypothesis that cybercriminals are continually evolving their tactics to minimize risk and maximize the return on effort,” said Mike Hamilton, CISO at Critical Insight.

“Focusing on business associates that perform a service for covered entities should give all these providers pause. Fines, additional regulatory scrutiny, class actions, and enforcement of the false claims act will affect these organizations for years,” Hamilton continued.

Breach numbers decrease

Total breaches dropped 15% in the first six months of 2023 compared to the second half of 2022, which is a positive trend considering the steady increase in attacks over the past few years. The reduced number of breaches in the first half of this year suggests that the overall number may be lower for the entire year. This year is on track to record the fewest breaches since 2019 and experience fewer provider breaches compared to the previous three years.

Exposed records increase

Individual records compromised in data breaches surged by 31% in 1H 2023 compared to 2H 2022. Despite declining over the latest reporting period, the number of individuals affected increased from 31M in 2H 2022 to 40M in 1H 2023. 90% of these breaches were the result of hacking incidents, while unauthorized access accounted for most of the remaining percentage.

With the first half of this year at 40 million, the number in just a six-month reporting period is already 74% of the total number of individuals affected in 2022, representing the highest number on record for six months.

Data breach causes

Hacking/IT incidents were the primary cause, accounting for 73% of breaches in 1H 2023. Compared to the first-most affected breach type in the previous reporting period, unauthorized access/disclosure was the second-most prevalent type in 1H 2023, with a notable increase from 15% in 2022 to 23%.

Theft, losing records, and improper disposal were relatively insignificant contributors to data breaches.

Hacker entry points

The focus on network server vulnerabilities and the adaptation of defense against email-related hacks point to a continual evolution in the cyber landscape. Hackers have shifted their tactics towards targeting network vulnerabilities. Network server breaches are responsible for a staggering 97% of individual records affected, while only 2% can be attributed to email breaches.

Evolved attacker tactics

Hackers have intensified their attacks on third-party business associates as breaches associated with business associates have steadily risen and were significantly higher than individuals affected in healthcare provider and health plan-related breaches. Of the 40 million exposed records, 48% were linked to business associates, while 43% were associated with healthcare providers. In the first half of 2023, 50% of individuals impacted by a breach had a business associate present.

“Our report found that hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies, that offer services to healthcare organizations emphasizing the importance of effective incident response planning and proactive defense strategies,” said John Delano, Healthcare Cybersecurity Strategist at Critical Insight and VP at CHRISTUS Health.

“Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies,” Delano added.

It is crucial for healthcare organizations to remain vigilant as attackers constantly adapt to avoid being hacked. The key takeaway is the importance of preparation, detection, and effective incident response.

To adequately prepare, organizations should:

• start with an incident response plan and a NIST-CSF-based risk assessment to build a multi-year strategy;
• track the cyber hygiene of its critical partners essential to maintaining a more secure environment;
• place robust focus on safeguarding third-party vendors, business associates, and suppliers from vulnerabilities;
• ensure support from the board, emphasizing the most critical impact for the investment.