Healthcare data breaches are not only on the rise, but they are also spreading like a virus from hospitals to smaller provider facilities.
Healthcare breaches have nearly doubled since 2018 and continued to climb through the first half of 2021, according to a report by Critical Insight, a Seattle-based healthcare-focused cybersecurity firm.
The neighborhood family clinic down the street is no longer safe.
And those breaches, mostly hacking/IT security incidents, can affect millions of healthcare records.
Tallahassee-based Florida Healthy Kids Corp. health plan revealed this year that it had been hacked over a seven-year period affecting 3.5 million patient records. Exposed information included Social Security numbers, dates of birth, names, addresses and financial information.
“Our fears are confirmed that breaches are rising and still continue to trend upward,” Vivian Zhou, Critical Insight healthcare program manager told Fierce Healthcare.
The hacking, she said, “is like the slope of a mountain.”
“I was shocked that the amount of outpatient and clinic system hacking incidents were the same if not more in terms of the number of breaches as hospital hacking,” Zhou said.
The report shows that there were 43 breaches of hospitals and 74 breaches of outpatient, specialty clinics in the first half of 2021.
A key gateway for these hackers is business associates of healthcare providers, John Delano, Critical Insight healthcare strategist, told Fierce Healthcare.
“It is an avenue or a vector in which organizations have to be diligent around who they allow to have access to their data and ensure that those partners are taking the same steps and the same level of care that the hospital is because they create just as much of a risk of exposure as any other vector,” he said.
In the first half of 2018, there were 44 hacks through business associates. In the first half of 2021, there were 141.
The report found that the number of hacking/IT incidents is up over three times since 2018 on an increasing trajectory. Business associates account for 52% of all healthcare breaches, the continuation of a three-year upward trend.
Behind these attacks, Delano said, are sophisticated groups such as organized crime and foreign nation-states. Those two groups, he said, are driving the increases.
“If you can take out a healthcare system, you can create major disruption, particularly during a time where we are dealing with COVID-19 or any kind of issue like that,” Delano said.
Just this week, Illinois’ largest independent physician group, DuPage Medical Group, alerted patients that it experienced a security breach that could affect 600,000 patients. After an investigation by cyber forensic specialists, the medical group determined patient information may have been reached by “unauthorized actors.”
The FBI issued a new warning to healthcare organizations about Hive ransomware, citing indicators of compromise and recent incidents. The ransomware is actively targeting healthcare systems.
The future doesn’t look particularly bright. Hacking of healthcare systems will continue to rise, Zhou said.
“It’s been many years that we’ve said get a handle on your third-party vendors because that’s going to cause issues,” she said. “I think it’s going to continue to trend upward, especially as we continue to digitize healthcare.”
Healthcare, Delano said, operates on small margins and most of its software is older legacy systems that were written before security was considered and need to be updated.
The fix, he said, includes increased diligence on third-party access and federal government support.
“At some point, we need the government to intervene, certainly when you have nation-state actors that are hacking into organizations in the U.S.,” Delano said. “I think if our government viewed that as terrorism and we actually took a stand against that, potentially because that could cause a loss of life if things were truly bad.”
Healthcare organizations he said, “are outgunned at the moment and we need some additional help.”
“Key to healthcare security in 2021 is making sure a hospital has the ability to watch for breaches around the clock. The bad guys never sleep. Some hospitals can hire enough staff to watch 24/7 and some need to hire cybersecurity companies to do it for them,” Delano said.