The healthcare sector has become a popular target for cybercriminals and is one of the most targeted industries by cyber criminals. In 2022, 324 attacks were reported in the first half of the year. As bad actors continue to target the healthcare industry, cybersecurity experts and healthcare administrators should be aware that attacks are frequently impacting smaller companies. These numbers point to unusual trends occurring in the healthcare industry.
Healthcare Breaches in Decline?
It might seem shocking, but trends collected from the first half of 2022 reveal that overall healthcare data breaches are in decline. However, a closer inspection of recent data reveals that despite variations in the number of attacks per year, the actual volume of records continues to fluctuate as hackers shift their targets. Healthcare companies make significant targets for cybercriminals because they are a trove of valuable information. The large quantities of demographic data is fertile ground for identity thieves. Larger healthcare facilities are also vulnerable to ransomware attacks because they have the financial backing to pay huge ransoms.
One way hackers have reoriented their attacks is by targeting electronic medical records systems. Today, many healthcare systems rely on the same EMR companies. When a single EMR company is targeted, multiple hospitals or healthcare systems can have their data exposed. In the first half of 2022, twenty individual hacking incidents were reported. By comparison, there were only 5 in 2021, 4 in 2020, and 1 in 2019.
Despite all these reasons to target healthcare companies, the total number of breaches in the first half of 2022 was down 6%, compared to the first half of 2021. However, experts believe the yearly total breaches will still exceed pre-pandemic levels. This is unsurprising because data breaches have grown since the COVID-19 pandemic and show no signs of stopping.
For example, consider the following table illustrating trends in healthcare data breaches:
|
|
2019 |
2020 |
2021 |
2022 |
|||
|
|
Q1/Q2 |
Q3/Q4 |
Q1/Q2 |
Q3/Q4 |
Q1/Q2 |
Q3/Q4 |
Q1/Q2 |
|
Breaches |
233 |
273 |
269 |
393 |
367 |
344 |
324 |
|
Records |
11.5M |
33.5M |
8.2M |
26.2M |
27.6M |
22.2M |
19.9M |
Since the beginning of the pandemic in early 2020, a sharp increase can be seen in the number of reported healthcare data breaches. Additionally, since Q3/Q4 2020, the total breaches have trended downwards. Despite this apparent downward trend, Q3/Q4 of 2019 saw far more data breaches than any subsequent half year. What this indicates is that when evaluating the cybersecurity threats in the healthcare industry, professionals should not just focus on the overall number of breaches, because this may not reflect the actual depth or breadth of the attacks that are occurring.
A recent attack on CommonSpirit Health demonstrates this concept. On October 3rd, the Chicago-based health system was hit with a ransomware attack. CommonSpirit operates 140 hospitals and more than 1,000 different care centers across 21 different states. Although this is a singular attack against one entity, CommonSpirit has treated 20 million patients in the past. This means that attackers could potentially have accessed some or all of those records in a single attack. Smaller care centers and other healthcare industry suppliers are chock-full of data for bad actors to seize.
|
Year |
Annual Total |
Records Accessed Annually (in Millions) |
First 6 month Total |
|
2019 |
506 |
35 |
285 |
|
2020 |
662 |
34.4 |
269 |
|
2021 |
711 |
49.8 |
367 |
|
2022 |
Unknown |
Unknown |
324 |
Specialty Clinics & Smaller Healthcare Facilities Are Still Vulnerable
Despite the decrease in breaches overall, the healthcare industry remains at risk. Cybercriminals are now targeting smaller clinics and hospital systems because they lack the same security preparedness that larger, well-established hospitals have.
For example, smaller healthcare facilities, like local dentists or urgent care clinics are the most vulnerable. These privately-owned independent facilities cannot compete with the same level of resources as a larger regional hospital.
Additionally, third-party vendors that are often used by smaller practices have also begun being targeted. This means that attackers can expose the data of smaller practices simply by targeting electronic medical record systems and vendors. Third-party vendor attacks represent 8% of total breaches now. Attacks are also becoming more effective as machine learning is now being used to aid in cybercrime activities.
Third-party vendor attacks potentially open up huge liability for smaller healthcare agencies.
Similarities to Supply Chain Attacks
Targeting smaller healthcare facilities by attacking third-party service providers bears a striking resemblance to the common and growing supply chain attacks. Supply chain attacks are a type of cyberattack where hackers attempt to damage an organization by targeting less secure portions of their supply chain. For example, many healthcare facilities may utilize a third-party servicer for handling their electronic medical records. Bad actors can target these third parties and then gain access to valuable data related to the primary target.
Who Is Being Chosen?
Some of these third-party-based attacks have already materialized in years past. In 2022, multiple attacks involving electronic medical records services occurred. When split into smaller segments, specialty clinics are a top source of data breaches (31%).
Medical services and supplies (made up of pharmacies, medical supply companies, and provider alliances) account for 14% of breaches in the first half of 2022. Another area of concern is business associate breaches. Business associate breaches are other entities linked in the healthcare supply chain. This includes record providers, consultants, billing companies, cloud services, web hosting services, and medical device manufacturers. In the first half of 2022, 15% of data breaches were attributable to these medical supply chain associates.
Major Attacks in 2022
In 2022, several major attacks have already been identified:
- Shields Health Care Group Breach: Another breach involving a third-party servicer that provided management and imaging services to over 50 healthcare facilities also experienced a breach encompassing more than 2 million individuals.
- Partnership HealthPlan of California: This breach involved a third-party group that oversees Medicare benefits. In total, approximately 850,000 individuals were impacted by this breach.
- Yuma Regional Medical Center: This facility experienced a ransomware attack that exposed the Social Security Numbers and other personal information of over 700,000 individuals.
- Resource Anesthesiology Associates and Anesthesia Associates: Over 380,000 patients across Texas, California, Washington, and Maryland were potentially exposed.
- Michigan Medicine: Approximately 34,000 patients had their data exposed when an attacker used a phishing scam to compromise employee email accounts. Most shocking is that this was not the first time that Michigan Medicine suffered a cyberattack.
How Did Data Breaches Occur?
The overwhelming majority of breaches were caused by either an intentional criminal act, or an IT incident. In the healthcare industry, when patient records are improperly accessed or disposed of incorrectly, this can constitute a data breach. However, these types of data breaches don’t expose patient data to dark web markets where data is traded like a commodity. When considered in total, malicious activity accounts for 97% of the breaches that actually harm individuals.
Implications of Cyber Incidents
Cyber incidents resulting in a data breach can cause significant interruptions to healthcare services. In 2022, the average cost of a data breach was $9.44M. When data breaches occur, healthcare organizations can also be liable for other penalties under HIPAA. One way to help combat these issues is that companies can leverage machine learning to search for vulnerabilities in their software. This is why in 2020, 89% of companies had a data scientist position. Machine learning allows companies to quickly solve complex problems, like cybersecurity flaws.
Besides the costs associated with resolving a data breach, cyberattacks can also cripple critical services. Ransomware often takes control over entire systems, not just a single computer. For example, an entire clinic can be shut down if ransomware is utilized. Most significantly, even if they are not targeted directly, healthcare businesses can still be impacted when bad actors target third-party companies in the healthcare supply chain.
About the Author:
Isla Sibanda is an ethical hacker and cybersecurity specialist based out of Pretoria. For over twelve years, she’s worked as a cybersecurity analyst and penetration testing specialist for several reputable companies – including Standard Bank Group, CipherWave, and Axxess.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.
