- Outpatient facilities, including family medicine and specialty clinics, were targeted by cybercriminals nearly as often as hospitals in the first half of this year, according to a report from cybersecurity firm Critical Insight using HHS data.
- Among healthcare facilities overall, breaches are occurring nearly twice as often since 2018, and breaches attributed to hacking and IT incidents are occurring nearly three times as often, the report found.
- Business associates, such as claims processors, now account for 43% of all healthcare breaches, according to the report.
Healthcare entities are a prime target for cybercriminals, who nab electronic protected health information that can be worth significantly more than a credit card number or social security number.
"The healthcare industry is a target-rich crucible of remote workers, medical devices running outdated software, and third-party vendors with access to sensitive information," the report said. "Managing risk in an era of digital transformation comes with a mandate to review their security policies and controls and adjust to a complex threat landscape."
While the report didn't get into specifics on medtech breaches it noted: "The interconnectedness of medical devices creates the potential for a catastrophic security failure."
Such attacks can also put systems in operational and financial binds. Last September, Universal Health Services fell victim to a massive cyberattack causing a shutdown of IT operations across more than 250 of its hospitals. Ambulances and procedures were diverted to competitor facilities, with the incident costing the system $67 million in the back half of the year.
And a recent report from Fitch Ratings found that growing cyberattacks can pose a threat to patient care as well as providers' bottom lines. The cost for recovering a patient record increased 16% from 2019 to 2020, Fitch said.
The number of breaches at healthcare organizations in the first half of this year was up significantly from the first half of last year, and higher than any six-month period since 2018, according to Critical Insight.
HHS has five categories of breach incidents for healthcare facilities: theft, improper disposal, loss, unauthorized access or disclosure and hacking or IT incidents.
Any breach resulting from criminal hackers or compromising security systems is considered a hacking or IT incident, and more than 70% of the breaches HHS identified in the first half of 2021 were such incidents, the report found.
At the same time, hackers are changing their targets and looking for the easiest ones. Smaller healthcare organizations typically run the same technology as larger hospitals systems, making them just as vulnerable, the report said. They also often have less money to spend on security features.
Business associates such as claims processors are being increasingly targeted, and while they should be covered by agreements that mandate strong security measures, hackers have still been able to exploit them.
"As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain," the report said.
In the first half of this year, 141 breaches HHS identified involved business associates, compared to just 66 in the second half of 2019, according to the report.