Cybercriminals increasingly target patient data stored by third-party vendors and business associates
Nearly 50 million Americans were affected by data breaches of their health records in 2022.
That’s the disturbing figure from a new analysis from Critical Insight, a cybersecurity company.
The number of breaches actually dropped in the second half of 2022, the report found. There were 313 breaches from July through December, a 9% decline from the 345 reported in the first half of the year.
But even as the number of breaches dropped, more individuals were affected by those breaches in the latter part of the year.
There were 28.5 million Americans affected by breaches in the second half of 2022, compared to 21.1 million during the first six months of the year, a 35% increase. In the last six months of the year, the average health data breach affected more than 91,000 individuals.
Health systems still have a lot of work to do to protect patient records from cyberattacks, said John DeLano, a co-author of the report and the vice president of ministry and support services at CHRISTUS Health.
“We feel like we've made some progress, because overall, the breach numbers are down,” he said. “But realistically, when you look at it, the number of records affected are up. And so that, to me, is the bigger problem.”
There were 658 breaches in 2022, down from 711 in 2021. The report found that 49.6 million Americans were affected by breaches in 2022, which actually represents a drop from 53.4 million in 2021.
Still, the impact of breaches has grown substantially in recent years. In 2020, 34.4 million Americans saw private information exposed in breaches. There were 662 breaches in 2020, which is virtually the same number as in 2022, but last year’s attacks and breaches affected 15 million more people.
More sophisticated attacks
Attackers are starting to shift some of their efforts to gain access to health records. While criminals are targeting hospitals and health care providers, they are also gaining access by going after the other businesses health systems rely on every day, including third-party vendors, accounting, billing and lawyers.
In the second half of the year, more records were exposed due to breaches occurring at business associates (48%) than at healthcare providers (47%).
Over the course of 2022, 71% of all health data breaches occurred in healthcare providers, while 17% of breaches were linked to business associates, and 12% of breaches came from health plans, according to the report.
Delano said health care organizations are paying more attention to the security of data being handled by third-party vendors and other business associates, and they are spelling out legal requirements to protect that patient information. But it’s a difficult task.
“It's hard for organizations, because we deal with a lot of third parties, we deal with a lot of business associates, and having the bandwidth to be able to periodically check in on them and make sure that they're treating your data the way you would treat it, becomes very difficult. And that's hard to maintain,” Delano said.
Attackers did their greatest damage by obtaining records from network servers, according to the report. “Network servers were the jackpot for hackers,” accounting for 90% of the records that were breached, according to the report.
Attackers are apparently finding more success in gaining access to electronic health records (EHRs), the report states. While breaches involving EHRs were nonexistent in the past, the report said 7% of breaches involved EHRs in the first half of the year, and 4% of breaches in the last six months of 2022. For the year, 6 million patient records were exposed due to EHR-related breaches, according to the report.
“When you've got a database of records that could span 10 or 15 years, you're going to have a lot of patients that are impacted,” Delano said.
Some breaches are becoming more damaging because attackers are getting more sophisticated. In the past, health systems built defenses against “script kiddies, people that just kind of Googled how to hack something, and they're looking for commonly known vulnerabilities, but they don't really know what they're doing,” Delano said.
Now, Delano said, “They're more sophisticated. And so, that is becoming a challenge, because it used to just be that you had to protect from some common known stuff, and now people are actually doing real hacking.”
Among the larger breaches of the year, CommonSpirit Health suffered a ransomware attack that impacted 600,000 patient records, the report noted. The system took its electronic medical records offline and had to reschedule some patient appointments.
Health systems still continue to see breaches occurring through email. In the second half of 2022, 20% of breaches occurred via email, which was down from 30% in the first half of the year.
“A lot of organizations do phishing campaigns, and I think that's helped,” Delano said. “Although phishing campaigns are getting more sophisticated as well. It used to be pretty easy to spot one now. Now it's a lot more difficult.”
‘You can’t do nothing’
Health care leaders need to be engaged in helping their systems improve their cybersecurity, Delano said.
“You can't make excuses,” he said. “You can't do nothing. So, start talking to your board, if you're not talking to your board, about the challenges, about the concerns. Make sure that your executives are aware of the challenges, aware of the threats. D
on't sit on the sidelines.”
Ransomware attacks continue to frustrate hospitals and health systems. In a recent survey of health IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021
Regal Medical Group, based in California, said last week that a ransomware cyberattack exposed patient information. More than 3 million people could have been affected, according to a database of breaches kept by the U.S. Department of Health & Human Services.
Delano said he was encouraged by the recent success of the FBI in disrupting the Hive ransomware gang, which has targeted hospitals and health systems. The Justice Department said last month that the FBI managed to penetrate Hive’s systems and thwart up to $130 million in ransom demands.
“Certainly a small health care organization’s not going to have the resources to combat that,” Delano said. “So getting the DOJ or the FBI involved, and helping to kind of work some of these gangs or criminal activity that's happening out there, is a benefit to everyone.”