Cyberattackers are turning their attention to smaller hospital systems and specialty clinics.
While larger providers and payers have the most data, smaller ones have lower levels of security preparedness, staff size and budget for sophisticated defenses, according to cybersecurity firm Critical Insight in its H1 2022 Healthcare Data Breach Report.
And while total attacks are declining, the firm found that it was not just the targets that were changing, but also the types of attacks. One of the largest attacks in the first half of 2022 was the Eye Care Leaders EMR breach, which exposed more than two million records.
EMR-related breaches rose from zero in the first half of 2020 to nearly 8% in H1 2022, and are expected to become more common, signifying a new trend. Hacks associated with network servers, meanwhile, dropped from 67% in the first half of 2021 to 57% in 2022.
“This is an intentional shift in strategy on the part of the criminal enterprise. EMR systems and especially service providers are targeted as they have more records, and generally more complete records,” Mike Hamilton, CISO and co-founder of Critical Insight, told HCB News. “For example, the latest EMR attack against Eye Care Leaders compromised the records of more than a dozen individual practices. Viewed from the criminal perspective this introduces efficiency, increases revenue, and reduces risk.”
Healthcare providers made up 73% of breach targets, while business associates made up 15%, and health plans, 12%. Breaches associated with providers fell from 269 in H1 2021 to 238 in H1 2022, but attacks against them still rose 15%. For healthcare plans, breaches dropped by 53%, but increased 10% for business associates.
Total breaches are slowly declining, with 324 in H1 2022, compared to 367 in H1 2021 and 393 in H1 2020. This is because providers are no longer distracted by the pandemic, which enabled attackers to more easily breach their operations.
The number of individuals affected also dropped by 10% from the last six months and 28% from H1 2021, to roughly 20 million in H1 2022. This is the third consecutive quarter of declining numbers.
Critical Insight anticipates these trends will continue throughout 2022, with attackers mainly targeting smaller providers because of their lower security protocols, as well as to evade media attention and escalation of law enforcement.
“Since most compromises start with user action, definitely educate users but also institute a policy of personal use on personal devices only, and review which users actually need external e-mail,” advises Hamilton. “By doing this the ‘attack surface’ is reduced by about 40% (per measurements taken while CISO at the City of Seattle and later verified by other research).”
The study was based on data pertaining to breaches reported by healthcare providers to the U.S. Department of Health and Human Services.