The healthcare sector has become a popular target for cybercriminals and is one of the most targeted industries by cyber criminals. In 2022, 324 attacks were reported in the first half of the year. As bad actors continue to target the healthcare industry, cybersecurity experts and healthcare administrators should be aware that attacks are frequently impacting smaller companies. These numbers point to unusual trends occurring in the healthcare industry.
It might seem shocking, but trends collected from the first half of 2022 reveal that overall healthcare data breaches are in decline. However, a closer inspection of recent data reveals that despite variations in the number of attacks per year, the actual volume of records continues to fluctuate as hackers shift their targets. Healthcare companies make significant targets for cybercriminals because they are a trove of valuable information. The large quantities of demographic data is fertile ground for identity thieves. Larger healthcare facilities are also vulnerable to ransomware attacks because they have the financial backing to pay huge ransoms.
One way hackers have reoriented their attacks is by targeting electronic medical records systems. Today, many healthcare systems rely on the same EMR companies. When a single EMR company is targeted, multiple hospitals or healthcare systems can have their data exposed. In the first half of 2022, twenty individual hacking incidents were reported. By comparison, there were only 5 in 2021, 4 in 2020, and 1 in 2019.
Despite all these reasons to target healthcare companies, the total number of breaches in the first half of 2022 was down 6%, compared to the first half of 2021. However, experts believe the yearly total breaches will still exceed pre-pandemic levels. This is unsurprising because data breaches have grown since the COVID-19 pandemic and show no signs of stopping.
For example, consider the following table illustrating trends in healthcare data breaches:
2019
2020
2021
2022
Q1/Q2
Q3/Q4
Q1/Q2
Q3/Q4
Q1/Q2
Q3/Q4
Q1/Q2
Breaches
233
273
269
393
367
344
324
Records
11.5M
33.5M
8.2M
26.2M
27.6M
22.2M
19.9M
Since the beginning of the pandemic in early 2020, a sharp increase can be seen in the number of reported healthcare data breaches. Additionally, since Q3/Q4 2020, the total breaches have trended downwards. Despite this apparent downward trend, Q3/Q4 of 2019 saw far more data breaches than any subsequent half year. What this indicates is that when evaluating the cybersecurity threats in the healthcare industry, professionals should not just focus on the overall number of breaches, because this may not reflect the actual depth or breadth of the attacks that are occurring.
A recent attack on CommonSpirit Health demonstrates this concept. On October 3rd, the Chicago-based health system was hit with a ransomware attack. CommonSpirit operates 140 hospitals and more than 1,000 different care centers across 21 different states. Although this is a singular attack against one entity, CommonSpirit has treated 20 million patients in the past. This means that attackers could potentially have accessed some or all of those records in a single attack. Smaller care centers and other healthcare industry suppliers are chock-full of data for bad actors to seize.
Year
Annual Total
Records Accessed Annually
(in Millions)
First 6 month Total
2019
506
35
285
2020
662
34.4
269
2021
711
49.8
367
2022
Unknown
Unknown
324
Despite the decrease in breaches overall, the healthcare industry remains at risk. Cybercriminals are now targeting smaller clinics and hospital systems because they lack the same security preparedness that larger, well-established hospitals have.
For example, smaller healthcare facilities, like local dentists or urgent care clinics are the most vulnerable. These privately-owned independent facilities cannot compete with the same level of resources as a larger regional hospital.
Additionally, third-party vendors that are often used by smaller practices have also begun being targeted. This means that attackers can expose the data of smaller practices simply by targeting electronic medical record systems and vendors. Third-party vendor attacks represent 8% of total breaches now. Attacks are also becoming more effective as machine learning is now being used to aid in cybercrime activities.
Third-party vendor attacks potentially open up huge liability for smaller healthcare agencies.
Targeting smaller healthcare facilities by attacking third-party service providers bears a striking resemblance to the common and growing supply chain attacks. Supply chain attacks are a type of cyberattack where hackers attempt to damage an organization by targeting less secure portions of their supply chain. For example, many healthcare facilities may utilize a third-party servicer for handling their electronic medical records. Bad actors can target these third parties and then gain access to valuable data related to the primary target.
Some of these third-party-based attacks have already materialized in years past. In 2022, multiple attacks involving electronic medical records services occurred. When split into smaller segments, specialty clinics are a top source of data breaches (31%).
Medical services and supplies (made up of pharmacies, medical supply companies, and provider alliances) account for 14% of breaches in the first half of 2022. Another area of concern is business associate breaches. Business associate breaches are other entities linked in the healthcare supply chain. This includes record providers, consultants, billing companies, cloud services, web hosting services, and medical device manufacturers. In the first half of 2022, 15% of data breaches were attributable to these medical supply chain associates.
In 2022, several major attacks have already been identified:
The overwhelming majority of breaches were caused by either an intentional criminal act, or an IT incident. In the healthcare industry, when patient records are improperly accessed or disposed of incorrectly, this can constitute a data breach. However, these types of data breaches don’t expose patient data to dark web markets where data is traded like a commodity. When considered in total, malicious activity accounts for 97% of the breaches that actually harm individuals.
Cyber incidents resulting in a data breach can cause significant interruptions to healthcare services. In 2022, the average cost of a data breach was $9.44M. When data breaches occur, healthcare organizations can also be liable for other penalties under HIPAA. One way to help combat these issues is that companies can leverage machine learning to search for vulnerabilities in their software. This is why in 2020, 89% of companies had a data scientist position. Machine learning allows companies to quickly solve complex problems, like cybersecurity flaws.
Besides the costs associated with resolving a data breach, cyberattacks can also cripple critical services. Ransomware often takes control over entire systems, not just a single computer. For example, an entire clinic can be shut down if ransomware is utilized. Most significantly, even if they are not targeted directly, healthcare businesses can still be impacted when bad actors target third-party companies in the healthcare supply chain.
Isla Sibanda is an ethical hacker and cybersecurity specialist based out of Pretoria. For over twelve years, she’s worked as a cybersecurity analyst and penetration testing specialist for several reputable companies – including Standard Bank Group, CipherWave, and Axxess.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
