SPOTLIGHT –
The number of breaches dipped in the second half of the year, but the number of people affected rose sharply, according to a new report.
Nearly 50 million Americans were affected by data breaches involving health records in 2022.
That’s the disturbing figure from a new analysis released Wednesday by Critical Insight, a cybersecurity company.
The number of breaches actually dropped in the second half of 2022, the report found. There were 313 breaches from July through December, down from 345 in the first half of the year, a 9% decline.
However, even as the number of breaches dropped, more individuals were affected by those breaches in the latter part of the year.
There were 28.5 million Americans affected by breaches in the second half of 2022, compared to 21.1 million during the first six months of the year, which represents a 35% increase. In the last six months of the year, the average health data breach affected more than 91,000 individuals.
Health systems still have a lot of work to do to protect patient records from cyberattacks, said John DeLano, a co-author of the report and the vice president of ministry and support services at CHRISTUS Health.
“We feel like we've made some progress, because overall, the breach numbers are down,” he said. “But realistically, when you look at it, the number of records affected are up. And so that, to me, is the bigger problem.”
There were 658 breaches in 2022, down from 711 in 2021. The report found that 49.6 million Americans were affected by breaches in 2022, which actually represents a drop from 53.4 million in 2021.
Still, the impact of breaches has grown substantially in recent years. In 2020, 34.4 million Americans saw private information exposed in breaches. There were 662 breaches in 2020, which is virtually the same number as in 2022, but last year’s attacks and breaches affected 15 million more people.
(We talked with John Delano about the cybersecurity report in this video. The story continues below.)
More sophisticated attacks
Attackers are starting to shift some of their efforts to gain access to health records. While criminals are targeting hospitals and healthcare providers, they are also gaining access by going after the other businesses health systems rely on every day, including third-party vendors, accounting, billing and lawyers.
In the second half of the year, more records were exposed due to breaches occurring at business associates (48%) than at healthcare providers (47%).
Over the course of 2022, 71% of all health data breaches occurred in healthcare providers, while 17% of breaches were linked to business associates, and 12% of breaches came from health plans, according to the report.
Delano said healthcare organizations are paying more attention to the security of data being handled by third-party vendors and other business associates, and they are spelling out legal requirements to protect that patient information. But it’s a difficult task.
“It's hard for organizations, because we deal with a lot of third parties, we deal with a lot of business associates, and having the bandwidth to be able to periodically check in on them and make sure that they're treating your data the way you would treat it, becomes very difficult. And that's hard to maintain,” Delano said.
Attackers did their most damage by obtaining records from network servers, according to the report.
“Network servers were the jackpot for hackers,” accounting for 90% of the records that were breached, according to the report.
Attackers are apparently finding more success in gaining access to electronic medical records, the report states. While breaches involving electronic medical records were nonexistent in the past, the report said 7% of breaches involved EMRs in the first half of the year, and 4% of breaches in the last six months of 2022. For the year, 6 million patient records were exposed due to EMR-related breaches, according to the report..
“When you've got a database of records that could span 10 or 15 years, you're going to have a lot of patients that are impacted,” Delano said.
Some breaches are becoming more damaging because attackers are getting more sophisticated.
In the past, health systems built defenses against “script kiddies, people that just kind of Googled how to hack something, and they're looking for commonly known vulnerabilities, but they don't really know what they're doing,” Delano said.
Now, Delano said, “They're more sophisticated. And so, that is becoming a challenge, because it used to just be that you had to protect from some common known stuff, and now people are actually doing real hacking.”
Among the larger breaches of the year, CommonSpirit Health suffered a ransomware attack that impacted 600,000 patient records, the report noted. The system took its electronic medical records offline and had to reschedule some patient appointments.
Health systems still continue to see breaches occurring through email. In the second half of 2022, 20% of breaches occurred via email, which was down from 30% in the first half of the year.
“A lot of organizations do phishing campaigns, and I think that's helped,” Delano said. “Although phishing campaigns are getting more sophisticated as well. It used to be pretty easy to spot one now. Now it's a lot more difficult.”
‘You can’t do nothing’
Healthcare leaders need to be engaged in helping their systems improve their cybersecurity, Delano said.
“You can't make excuses,” he said. “You can't do nothing. So, start talking to your board, if you're not talking to your board, about the challenges, about the concerns. Make sure that your executives are aware of the challenges, aware of the threats. And, you know, don't sit on the sidelines.”
Ransomware attacks continue to frustrate hospitals and health systems. In a recent survey of healthcare IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021
Regal Medical Group, based in California, said last week that a ransomware cyberattack exposed patient information. More than 3 million people could have been affected, according to a database of breaches kept by the U.S. Department of Health & Human Services.
Delano said he was encouraged by the recent success of the FBI in disrupting the Hive ransomware gang, which has targeted hospitals and health systems. The Justice Department said last month that the FBI managed to penetrate Hive’s systems and thwart up to $130 million in ransom demands.
“Certainly a small healthcare organization’s not going to have the resources to combat that,” Delano said. “So getting the DOJ or the FBI involved, and helping to kind of work some of these gangs or criminal activity that's happening out there, is a benefit to everyone.”
RxSense CEO Rick Bates cites the value of knowing ‘when you’ve been wrong’ | Lessons for Leaders
In this new feature, we’re spotlighting the insights from leaders in the world of healthcare. Rick Bates of RxSense talks about the importance of acknowledging mistakes.
Data Book podcast: Justin Norden talks about ChatGPT and AI in healthcare
Justin teaches about digital health at Stanford Medicine and is a partner at GSR Ventures. He talks about the potential of ChatGPT, the ethical questions, and how AI will transform the industry.
These are the 10 leading threats to patient safety in 2023
ECRI, a nonprofit focused on protecting patients, releases its annual list of the most pressing concerns. Marcus Schabacker, CEO of ECRI, talked with us about the leading issues.
Data Book podcast: Ajay Khanna, Tellius CEO, talks about 'decision intelligence'
In the latest episode, Ajay Khanna explains how healthcare organizations can use artificial intelligence to gain new insights into their business.
Healthgrades announces patient safety and experience awards. These hospitals took both honors.
The organization examined thousands of hospitals but only a select group took prizes in patient safety and the patient experience. Four problems make up the bulk of safety events, the study found.
Improving hospital safety: Healthgrades' chief medical officer outlines key steps
Healthgrades has announced its recipients of patient safety awards, and Brad Bowman talks about the importance of focusing on critical problems.
2 Clarke Drive
Cranbury, NJ 08512
609-716-7777
Leave a Reply