According to a new report from Critical Insight, cyberattacks are increasingly targeted at relatively small healthcare organisations and specialty clinics that lack the capacity to defend themselves, rather than larger health systems that, amidst being treasure troves of personal and medical data, generally have more advanced security.
With the Eye Care Leaders electronic health records breach, which compromised more than 2 million records, cybercriminals struck gold this year. The data of about 940,000, 1.1 million, and 1.9 million individuals, respectively, was exposed as a result of attacks against the revenue cycle management vendor Practice Resources, the printing services vendor OneTouchPoint, and the accounts receivable firm Professional Financial Company.
Since reaching their high in the second half of 2020, overall breaches have been progressively falling. Yet according to the analysis, which examines breach data reported to the HHS, the tendency of concentrating on a systemic technology used by the majority of suppliers is one the cybersecurity company anticipates will continue for the rest of the year.
According to Critical Insights, despite a decline in total breaches from a high of 393 in the second half of 2020 to 324 in the first half of 2022, the healthcare sector remains a top target for cybercriminals. Approximately 20 million people were impacted in the first half of this year, which is a 28% decrease from the same period last year and the third straight quarter of breach decline, according to the research.
Healthcare suppliers, business partners (businesses that manage data on behalf of suppliers and insurers), and health plans, in that order, account for 73%, 15%, and 12% of all breaches. It’s interesting to note that Critical Insights discovered a decrease in breaches related to healthcare providers from 269 in the first half of 2021 to 238 in the same period in 2022.
From zero breaches in the first half of 2020 to 8% of all leaks in the first half of this year, breaches involving EHRs have increased. Despite declining from a peak of 67% in the first half of 2021, network server hacks still account for the majority of breaches (57%), which is the case for the majority of breaches in general. Specialty clinics and smaller hospital systems are increasingly affected by hacking and IT event breaches. Health plan-related breaches decreased by 53%, although assaults on business partners and providers increased by 10% and 15%, respectively.
According to John Delano, healthcare cybersecurity specialist at Critical Insight and Vice President of Christus Health, this shift from big hospital systems and payers to smaller companies, who actually have a shortfall when it comes to cyber defences, shows a huge change in targets and tactics. They predict that as things move into 2022, attackers will continue to target these smaller companies for ease of assault as well as to avoid attention from the media and escalate interactions with law enforcement.