Dive Brief:
- Cyberattacks are increasingly being focused on smaller healthcare companies and specialty clinics without the resources to protect themselves, instead of larger health systems that — despite being treasure troves of personal and medical data — generally have more sophisticated security, according to a new report from Critical Insight.
- Cybercriminals hit the jackpot this year with the Eye Care Leaders electronic medical records breach, which exposed more than 2 million records. Other major attacks include those against revenue cycle management vendor Practice Resources, printing services vendor OneTouchPoint and accounts receivable firm Professional Financial Company that exposed the data of about 940,000 individuals, 1.1 million individuals and 1.9 million individuals respectively.
- Overall breaches are steadily declining from their peak in the second half of 2020. But the trend of focusing on a systemic technology used across most providers is one the cybersecurity firm expects to continue throughout the remainder of the year, the report, which analyzes breach data reported to the HHS, said.
Dive Insight:
The healthcare industry continues to be a top target for cybercriminals, even as total breaches fall from a peak of 393 in the second half of 2020, to 324 in the first half of 2022, according to Critical Insights.
Roughly 20 million individuals were affected in the first half of this year — the third consecutive quarter of breach decline, and a 28% drop compared to the same period last year, the report found.
Healthcare providers, business associates (companies that handle data on behalf of providers and insurers) and health plans represent 73%, 15% and 12% of total breaches respectively. Interestingly, Critical Insights found that breaches associated with healthcare providers dropped from 269 in the first half of 2021 to 238 in the first half of 2022.
EHR-related breaches rose from zero in the first half of 2020 to about 8% of all breaches in the first half of this year. Hacks associated with network servers continue to make up the majority of breaches with 57%, though that’s down from a peak of 67% in the first half of 2021.
Smaller hospital systems and specialty clinics are rising to the top of those affected by hacking or IT incident breaches. Breaches associated with health plans dropped by 53%, but attacks against business associates jumped 10% and attacks against providers went up 15%.
That shift, from “large hospital systems and payers to smaller entities that truly have a deficit when it comes to cyber defenses, shows a massive change in victims and approach,” John Delano, healthcare cybersecurity strategist at Critical Insight and Vice President at Christus Health, said in a statement on the report. “As we continue into 2022, we anticipate attackers to continue to focus on these smaller entities for ease of attack, but also for evasion of media attention and escalation with law enforcement.”
