Only seven months into 2021 and more than 22.8 million people have fallen victim to healthcare data breaches.
This is a 185% increase from the same time last year, when just 7.9 million patients were affected. In addition, the number of reported breaches to the HHS increased 27% year-over-year during the first six months of 2021, with providers out of all healthcare entities experiencing the most breaches at 73%, according to a new report by Fortified Health Security.
“Educating the workforce on current phishing schemes to spot a phishing email and ensuring appropriate email security technical controls are in place are two of the biggest vulnerabilities in the healthcare ecosystem today. Unfortunately, email phishing threats have been at or near the top of the list for quite some time, and there isn’t any indication of the trend reversing itself in the near future. Healthcare organizations often overlook third party risk because managing business associates’ risk profiles and driving the information security maturity of these entities is a resource-intensive endeavor,” Fortified Health Security COO William Crank told HCB News.
Cyberattacks made up 73% of these incidents for the third year in a row and were the number one cause of breaches for the fifth consecutive year. Unauthorized access or disclosure was responsible 22% of the time. Smaller thefts, losses or improper disposals made up the other 5%. The cost of damages worldwide is predicted to be $6 trillion this year and reach $10.5 trillion by 2025, a 75% increase.
Health plans were hit with 16% of all breaches and 11% were among business associates. Nine out of ten U.S. organizations suffered a breach this past year due to weaknesses in their supply chain. The pandemic also contributed, due to healthcare organizations switching to remote settings. This equally increased the attack surface for such attacks, including moving private records and data from outside of hospitals.
What doesn’t help, say the authors of the report, is the fact that healthcare organizations have hundreds of electronic entry points in their data networks, from EHRs, radiology and lab systems, to admission, discharge and transfer systems, to supply chain ordering and internet-enabled medical devices.
The report recommends the adoption of security tools for early detection and for organization to understand how devices and systems communicate to identify potential security gaps. It also encourages the use of automated tools, development of incident response plans, employee security training and education, risk assessments, and limiting user access to areas only necessary for job function. Those who are financially strained can look into outsourced cybersecurity monitoring and remediation efforts. While an option as well, cyber insurance can be expensive as rates have skyrocketed due to rising ransomware attacks. Some insurers have increased the cost of deductibles and limited the types of entities they will cover, according to the report.
“Instead of focusing on just a few specific vulnerabilities, healthcare providers should be looking at the whole picture to develop a cybersecurity maturity roadmap that is often reviewed against the ever-changing threat landscape,” said Crank.