The number of tracked healthcare data breaches continues to be on the rise, with malicious hacking incidents ranking as by far the most common type, according to two recently released separate cybersecurity reports.
The two reports—one from CI Security and the other from cloud cybersecurity company Bitglass—reviews data from the U.S. Department of Health and Human Services' “Wall of Shame” to gauge the severity of each year’s breaches. Some of the key findings, compiled across both reports, include:
- The count of healthcare breaches tracked by Bitglass reached 599 in 2020, compared to 386 in 2019, or an increase of 55 percent. CI Security’s report revealed a similar total, also revealing that the total number of reported breaches among healthcare organizations increased from 270 in the first half of 2020 to 366 in the second half of the year, or a 36 percent increase.
- The number of individual patient records that were breached in the second half of 2020 nearly tripled compared to the first half of the year, according to CI Security
- Of the 21.3 million records breached in the second half of 2020, 97 percent were attributed to malicious hacking incidents, rather than other causes such as unauthorized disclosure, improper disposal, theft, or loss, the CI Security report noted
- Bitglass’ report found that in 2020, hacking and IT incidents led to 67 percent of all healthcare breaches—-more than three times that of the next highest category, which was loss or theft. Additionally, it revealed that breaches caused by hacking and IT incidents exposed 91.2 percent of all breached records in healthcare in 2020—24.1 million out of 26.4 million. Each year since 2015, hacking and IT incidents have been exposing more records than any other breach type.
- The cost per breached record has also increased, rising from $429 to $499 this year, representing a 16 percent increase, Bitglass reported. On average, they found, healthcare firms take the longest to identify breaches, at about 96 days, and take the longest to recover from them, at about 236 days.
- Nearly 75 percent of all records breached were tied to business associates and other third parties, rather than the healthcare providers, health plans or healthcare clearinghouses. That’s up from 46 percent in the first half of 2020, CI Security reported.
- The frequency of daily ransomware attacks increased 50 percent during the third quarter of 2020, compared to the first half of the year. And healthcare organizations were the number one target of ransomware exploits, according to CI Security, referencing an earlier report from Check Point Research.
The COVID-19 impact
As analysts at CI Security said, “The pressure to modify existing operations and to create exceptions to sound security practices in support of a rapidly changing mission has created new attack vectors for cybercriminals.”
They specially noted a few core drivers for this: more employees than ever are working from home and as many as six in 10 are using personal devices to conduct company business; employee churn is creating issues with security training, particularly as previously retired or temporary clinicians are brought in to support surge operations; and while telemedicine use has declined somewhat since the early days of the pandemic, many healthcare organizations are still struggling to implement digital health initiatives in a secure manner, particularly when it comes to working with new clinical technology partners as part of new healthcare delivery models.
The sharp rise in the number of reported breaches over the past six-month period was not unexpected, according to CI Security leaders. In fact, the firm predicted this significant upturn in its 2020 H1 Breach Report, where they described concerns over the fact that the number of reported breaches unexpectedly dropped in the first half of 2020 (compared to the second half of 2019) as the pandemic wreaked havoc on the healthcare system.
The most likely explanation, they said, was that “healthcare providers were so consumed by the sudden onset of the pandemic, and so busy asking for exceptions to their standard security plans in order to respond to rapidly changing COVID-related conditions, they didn’t report breaches in a timely manner; or that they were breached, but didn’t know it yet.”
For example, they noted, in two highly publicized breaches—University of Vermont Medicine and Blackbaud—attackers infiltrated each organization during the first half of 2020, but the breaches were not discovered and reported until later in the year.
The CI Security report continued, “Even more alarming, however, is the apparent shift in tactics among cybercriminals, who have evolved their methods to attack the soft underbelly of healthcare networks – third party business associates who provide services such as billing or insurance reimbursement. Or, in the case of Blackbaud, criminals went after fundraising software that stores donor information in the cloud.” As such, the firm’s analysis indicates that the decline in breach reports in the first half of 2020 “represents an aberration. The long-term trend lines point to an increase in breaches into 2021 and beyond.”
