Analysis
Attacks and Vulnerabilities
Critical infrastructure
Medical
News
Reports
Supply Chain Security
Tech Solutions
Vulnerabilities

Critical Insight reports drop in breach numbers, increase in records affected, while hacking remains high in healthcare

February 20, 2023
Critical Insight reports drop in breach numbers, increase in records affected, while hacking remains high in healthcare

The number of data breaches affecting healthcare providers declined in the second half of 2022, consistent with a downward trend over the past two years, though a deeper dive into the data reveals that current breach totals are still higher than pre-pandemic levels, data released by Critical Insight disclosed. Additionally, breaches are affecting more individuals, and hackers are shifting tactics to attack weak links in the healthcare system supply chain, most notably attacking EHR (electronic health record) systems. 

Critical Insight data found that breach numbers are down, records affected are up, and hacking remains high. 

“Total breaches dropped 9% between the first six months of 2022 and the second half of the year,” Critical Insight identified in its report titled ‘Healthcare breach report 2022, H2’. “Breaches have been declining since a high-water mark at the height of the pandemic; from 393 breaches in the second half of 2020 to 313 in the latest reporting period.” 

On an annual basis, breaches for 2022 totaled 658, which is seven percent lower than the 711 from 2021 and lower than in 2020, when there were 662 reported breaches, Critical Insight reported. “Still, current breach numbers remain higher than pre-pandemic levels – there were only 506 reported breaches in 2019. While the total number of breaches declined over the latest reporting period, the number of individuals affected jumped sharply, from 21.1 million records to 28.5 million records, a 35% increase.”

Since the total number of breaches was down in the second half of 2022 and the total number of individuals affected was higher, the ratio of individuals affected per breach also soared, Critical Insight reveals. “In the second half of 2022, 91,028 individuals were affected per breach, compared to only 61,246 in the first half of 2022.” 

As the healthcare industry continues to face a rapidly evolving threat landscape, it’s crucial for organizations to stay ahead of the curve and stay prepared, John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at CHRISTUS Health, said in a media statement. “Our latest H2 2022 Healthcare Breach Report highlights the shifting tactics of attackers, who are now targeting smaller entities with weaker cyber defenses.”

Critical Insight disclosed that the number of individual records exposed by breaches skyrocketed by 35 percent in the second half of 2022 to hit 28 million. “In other words, fewer breaches, but larger breaches, reflecting consolidation within the industry and the evolving tactics of attackers.”

The vast majority of data breaches are due to hacking, the report identifies. “Healthcare organizations have done a relatively good job shoring up their policies around the proper handling and storage of medical records. Hacking accounted for 79% of all incidents and 84% of individual records exposed in 2022.”

Critical Insight said that attackers continue to attack hospitals, but have found increasing success targeting business associates, and third-party vendors such as electronic medical record providers, lawyers, accountants, billing companies, and medical device manufacturers. 

“In the second half of 2022, more records were exposed due to breaches at business associates (48%) than actual healthcare providers (47%),” the report said. “Attacks against EMR systems, which were non-existent in past years, spiked to 7% in the first half of 2022 and 4% in the second half of 2022.”

Critical Insight reported that since 2019, the percentage of breaches at healthcare providers has slowly declined, from 81 percent in the second half of 2020 to 72 percent in the second half of 2021 to 69 percent in the second half of 2022. “At the same time, the percentage of breaches associated with business associates has trended upward, from 9% in the second half of 2020 to 13% in the second half of 2021 to 19% in the second half of 2022.”

Looking at full-year numbers, breaches at healthcare providers declined from 78 percent in 2020 to 72 percent in 2021 to 71 percent in 2022, the report revealed. “Conversely, the percentage of breaches linked to business associates increased from 11% in 2020 to 13% in 2021 to 17% in 2022.”

The reporting system makes a distinction between direct attacks against business associates and attacks in which the hackers eventually hit a healthcare provider, but the initial entry point for the attack was a business associate. This evolving tactic among hackers presents a challenge for frontline healthcare organizations. 

“Looking specifically at the subset of breaches linked to hacking, the number of hacking/IT incidents dropped from 278 in the first half of 2022 to 244 in the second half of the year,” Critical Insight said. “Healthcare providers accounted for 70% of all hacking incidents in the second half of 2022, followed by business associates at 19% and health plans at 11%.”

The report said that defending against cyberattacks requires an understanding of how records are being exposed. “Servers were linked to 71% of incidents in the second half of 2022, up from 58% in the first half of 2022. Email was listed in 20% of incidents in the second half of 2022, down from 30% in the first half of 2022. Breaches linked to the hacking of Electronic Medical Record (EMR) systems were negligible prior to this year, when they spiked to 7% in the first half of 2022 and 4% in the second half of the year,” it added. 

For the full year 2022, EMR-related breaches accounted for 6 million individual records exposed or 8% of all individual records exposed in the first half of 2022 and 7% in the second half of the year, the Critical Insight report added. “Network servers were the jackpot for hackers, accounting for 90% of individual records breaches, followed by email at 6%, EMR at 3%,” it added.

Critical Insight assesses that the time is now for healthcare organizations to ensure that their attention is on prevention, detection, and incident response. Businesses that want to strengthen their cybersecurity posture can do so by developing internal capabilities or by collaborating with a partner that can offer skilled cybersecurity personnel and services. Healthcare organizations must safeguard themselves as well as make sure that all suppliers, associates, and third-party vendors connected to their networks adhere to good security practices. 

Last month, the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services (HHS) reported that several cyber threats targeting the healthcare and public health sector continued well into the fourth quarter of last year. The HC3 bulletin also highlights some of the alerts, briefs, and other guidance on vulnerabilities, threat groups, and technical data of interest to the health sector and public health community during the reporting period.

The HC3 also issued an analyst note covering Distributed Denial of Service (DDoS) attacks, which could severely prevent healthcare organizations and facilities from accessing vital resources that would negatively affect their ability to provide care.

Hackers utilize DDoS attacks due to the cost-effectiveness, and relatively low resources and technical skills needed to deploy this type of attack as a hacker doesn’t have to install any code on a victim’s server, the HC3 note said. “Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cybercriminals take advantage of the sheer number of insecure internet-connected devices.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation