As health systems and hospitals are under unprecedented stress from the COVID-19 pandemic, their IT departments also are facing critical skills and staffing shortages as they battle unrelenting cyberattacks.
Cybersecurity breaches hit an all-time high in 2021, exposing a record amount of patients' protected health information (PHI), according to a report from cybersecurity company Critical Insights.
In 2021, 45 million individuals were affected by healthcare attacks, up from 34 million in 2020. That number has tripled in just three years, growing from 14 million in 2018, according to the report, which analyzes breach data reported to the U.S. Department of Health and Human Services (HHS) by healthcare organizations.
The total number of individuals affected increased 32% over 2020, meaning that more records are exposed per breach each year. The total number of breaches only rose 2.4% from 663 in 2020 to 679 in 2021 but still hit historic highs.
“Whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care,” said John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at Christus Health, in a statement.
“As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.”
The silver lining is that the number of reported breaches and the number of individuals affected declined slightly over the second half of 2021 compared with the first half of the year.
However, it's too soon to tell whether that modest improvement represents the beginning of a longer trend in the right direction, according to the report's authors.
"The results could indicate that security teams have done a good job shoring up their defenses, either internally or through partnerships with managed security providers, in response to the surge in attacks that occurred in 2020, when cyber-criminals ramped up their efforts to take advantage of vulnerabilities that were exposed during the early, chaotic days of the pandemic," the authors wrote.
Attacks against health plans jumped nearly 35% from 2020 to 2021. And attacks against business associates, or third-party vendors, increased nearly 18% from 2020 to 2021.
Cyberattacks against providers, where most breaches are historically reported, actually declined slightly after peaking in 2020. Last year, 493 providers reported a data breach, down by about 4% from 515 in 2020.
Hacking/IT incidents continue to be the most common cause of breaches with an increase of 10% in 2021. Hacking was also responsible for the vast majority of individual records that were affected by breaches, which means those records were likely sold on the dark web, according to the report.
The HHS data indicate an uptick in hacking incidents at outpatient/specialty clinics as well, which saw a 41% increase in these types of breaches in 2021 compared to 2020.
Healthcare IT departments continue to be stretched thin dealing with pandemic-related crises, which may lead to routine security measures falling by the wayside, breaches going undetected for weeks and efforts to validate the security measures undertaken by affiliates and third parties falling short, the report authors wrote.
"This is no time for security teams at healthcare organizations to let their guard down. Attackers are aiming at bigger targets. Exploits, particularly ransomware, are becoming more sophisticated. And cybercriminals are expanding their activities to take advantage of security vulnerabilities across the healthcare supply chain, from business partners to health plans to outpatient facilities," the authors wrote.
To shore up their defenses, healthcare organizations need to establish a comprehensive risk management program and should classify their business associates by level of risk based on the type of data third parties are able to access, according to the report.
Other steps organizations can take include establishing procedures and processes to vet third parties before granting them access to data, emphasizing security in any business agreement with third parties and working with cybersecurity companies for managed intrusion detection and response services.