The numbers are not getting better for healthcare systems trying to keep patient data out of hackers’ hands. Healthcare data breaches went up 36% in the second half of 2020, according to a new analysis from CI Security. In the second half of the year, more than 21.3 million records were breached, an increase of 177% from nearly 7.7 million records breached in the first half of 2020.
The 2020 Healthcare Data Breach Report found that criminals worked all angles of the healthcare system, attacking life science and research labs, rehabilitation facilities, hospital systems, and healthcare organizations.
Hospitals prioritized patient care in the rush to respond to the intense demands of the COVID-19 pandemic, sometimes at the expense of cybersecurity, according to the report. The report found that the shift to remote work, employee churn, new sites of care, and new vendor agreements all expanded both security risks and the overall attack surface. For example, health systems opened up drive-through COVID-19 testing sites early on, and now the organizations are using sports stadiums and other public spaces to deliver vaccines. These new settings create new attack opportunities for cybercriminals, according to the report.
Healthcare companies also use SolarWinds software, which opens them up to the same security risks faced by Fortune 500 companies, the US military, government agencies, and universities affected by the attack on the company and its clients in 2020. The report notes that the frequency of daily ransomware attacks increased 50% during the third quarter of 2020 as compared with the first half of the year.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
CI Security analysts also found that cybercriminals are now targeting third-party business associates who provide billing or insurance reimbursement services to healthcare organizations. The report authors said business associates made up 75% of all the records exposed in 2020. Also, 97% of the data breaches in the second half of the year were due to malicious hacking events, not unauthorized disclosure, theft, or loss.
How hospitals can improve data security
The report recommends that health systems use identity access management systems to make it easier to control and monitor employee use of data. This approach can mitigate the flux in employees that hospitals have managed over the last 12 months. Hospitals brought on contract nurses and other staff to support surge operations while furloughing other employees due to financial constraints, according to the report.
Healthcare systems also should review telehealth agreements to make sure these documents define “where data is stored, how it is protected, and who is responsible for each step in telehealth information management workflow.”
Finally, it’s a good idea to review every existing contractual agreement with business associates to examine how financial and other liabilities are addressed. The report authors suggest that healthcare organizations “push hard for language that spells out your need to gain insight into their cybersecurity processes and procedures, including certifications, risk mitigation, and incident response plans.”
CI Security recommends healthcare organizations take these steps to protect sensitive data:
- Conduct regular security assessments and penetration tests
- Implement intrusion detection and response capabilities
- Create a strong incident response plan
To compile this report, CI Security analysts reviewed data from the US Department of Health and Human Services Office of Civil Rights Breach Portal on Jan. 11, 2021. The analysis covered data from the last 24 months and organized the information into four six-month periods:
- 2019 First-half of the year (2019 H1)
- 2019 Second-half of the year (2019 H2)
- 2020 First-half of the year (2020 H1)
- 2020 Second-half of the year (2020 H2)