When my colleague John Lynn sent the following report over to me, he seemed quite taken aback by the results, calling the number of organizations reporting a large breach “crazy.” After a year like 2021, it’s hard to argue with his assessment. The volume and ferocity of cybersecurity attacks on healthcare organizations have been brutal.
The top-line finding of Fortified Health Security’s 2022 Horizon Report was that in 2021, over 700 healthcare organizations reported a breach of 500 or more patient records to the HHS Office for Civil Rights. Yes, you read that right. That’s almost double the number of attacks reported five years earlier.
Attacks on healthcare providers accounted for the overwhelming number of breaches, making up 72% of all incidents. Just 15% of breaches were reported by health plans and 13% by business associates. (A tiny fraction of breaches were reported by healthcare clearinghouses.)
Taken together, these breaches affected 45 million patients in the US, up from 34 million in 2020. This was the highest number of individuals affected in a single year, other than in 2015 when Anthem Inc. and Premera Blue Cross saw breaches that affected 9 million individuals.
Healthcare organizations remained the number one target for ransomware attacks across industries, increasing 300% over the previous year. The top types of healthcare cyberattacks reported included hacking attacks, unauthorized access, theft, loss and improper disposal of data. Last year, network server attacks accounted for 53% of all incidents, compared with email attacks at 27% of the total.
Why are healthcare organizations so vulnerable? In this study, more than half of IT professionals said they were worried about building system technologies and electrical devices being used as entry points, followed by imaging devices, equipment that dispenses medications, check-in kiosks and systems that monitor vital signs.
To address this disastrous increase in security incidents, Fortified Health Security argues, health IT leaders should move in the direction of zero-trust models.
The report’s authors admit that zero trust strategies aren’t a favorite of health IT administrators, especially in areas where providers might need quick access to patient data in life-and-death situations. On the other hand, they suggest, creating a tightly woven identity and access management strategy can be a step in the right direction.
They note that according to a recent survey, three-quarters of breaches can be attributed to unauthorized access traced to granting too much privileged access to third parties.
The report suggests that multifactor authentication and micro-segmentation initiatives could prove to be a good middle ground between a wide-open network and the zero trust model, and that one way to move in this direction would be to create a virtual local network to compartmentalize key machines or departments.
That being said, there probably isn’t time to prevent 2022 from being another terrible year for cybersecurity. In fact, Fortified Health expects the number of breaches to rise even further this year, and the attacks to be more severe. It also won’t help that demand for cybersecurity staffers remains high and supply relatively low. (For 2022 cybersecurity predictions submitted by readers of this site, read this article.)
All told, looks like healthcare exposure to cybersecurity breaches is about as high as we’re likely to get. Let’s hope that this year we at least begin to turn the corner toward more manageable numbers.
