Cyberattacks Against Health Plans, Business Associates Increase

January 31, 2022 - Cyberattacks targeted at health plans and third-party business associates increased last year, while attacks against healthcare providers dipped slightly, a report by Critical Insight discovered.

Researchers analyzed 2021 data from the Office for Civil Rights (OCR) data breach portal and compared it to years past. The report revealed that health plan cyberattacks increased by 35 percent from 2020 to 2021, and attacks against third-party business associates increased by 18 percent.

Interestingly, cyberattacks aimed at healthcare providers declined by approximately 4 percent. Although the decrease is not extreme, it shows that cybercriminals are adapting their tactics and targets as organizations continue to implement safeguards against common exploitation techniques.

About 45 million individuals were impacted by healthcare data breaches in 2021, which is triple the number of individuals impacted just 3 years ago. About 34 million people were victims of healthcare data breaches in 2020, the report explained.

Hacking/IT incidents remain the most common breach type, compared to unauthorized access/disclosure, theft, and loss.

Hacking incidents targeted at outpatient facilities and specialty clinics increased by 41 percent in 2021 compared to 2020, the analysis revealed. This finding validated previous reports showing that cybercriminals were shifting their targets away from major hospitals and towards outpatient facilities.

Recently, a healthcare cyberattack impacted 57,000 individuals at a Florida dermatology practice. A Virginia surgical clinic began notifying over 170,000 people of a healthcare cyberattack. On the business associate side, a Connecticut CPA firm recently found itself the victim of a cyberattack that potentially exposed the personal information of over 6,000 individuals.

“Whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care,” John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at Christus Health, explained in an accompanying press release.

“As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third-party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.”

The data shows that while cybersecurity awareness may be increasing, cybercriminals are finding better and faster ways to deploy ransomware and achieve the same results. As the number of cyberattacks and impacted individuals continue to increase, the healthcare sector will likely be forced to face unfortunate consequences.

At a recent WEDI Spotlight conference, chief strategist of the Cybersecurity and Infrastructure Security Agency’s (CISA) COVID task force Joshua Corman urged the healthcare sector to come to terms with the harsh realities of healthcare cyberattacks.

“In the last 12 to 18 months, we've had successful electronic attacks of the water we drink, the food we put on our table, and the oil and gas that fuels our cars and our homes. The timely availability of patient care, the schools our children go to, the municipalities who run our towns and our cities, and even federal agencies have been the victims of state-sponsored and criminal attacks,” Corman said during his presentation.

“Things are on fire, and we're going to need a resilient workforce to deal with these shocks on all fronts.”

To combat the mounting cybersecurity risks, Critical Insight researchers recommended that healthcare organizations create a comprehensive risk management program, establish procedures for vetting third-party business associates, and constantly stand guard against network intrusions.