Between ransomware and vendor-related security incidents, the health care sector has already reported some of the largest data breaches seen in recent history: the majority of the 10 largest breaches affected over 1 million patients each. A new Critical Insight report shows just how the attackers are getting in and recommendations for better defending the health care environment.
What's more, outpatient facilities and specialty clinics were compromised at nearly the same rate as hospitals during the first half of 2021, which serves as a reminder that everyone in health care is a target.
“While it may be tempting to think that clinics do not require the same level of cybersecurity diligence as large healthcare systems, that idea is mistaken. Attackers look for the easiest target,” researchers wrote. “Smaller organizations run the same systems and use the same technology as hospital systems, making them potentially just as vulnerable.”
Critical Insight analyzed incidents reported to the Department of Health and Human Services and found breaches have more than doubled from those reported in 2018. And incidents tied to hacking and IT have more than tripled since 2018, accounting for more than 70% of the reported breaches.
Researchers expect these numbers to continue the climb the year progresses.
Although the number of breaches reported to HHS so far in 2021 were fewer than those reported at the end of 2020, researchers stressed that it’s nothing to celebrate. After a relatively quiet start of 2020, there was a large spike in breaches reported to HHS at the end of the year that stemmed from the singular Blackbaud incident.
The number of breaches reported to HHS in 2021 is still significantly higher than the first half of any year since 2018, which has been driven by the spike in cyberattacks.
In addition, the number of incidents reported to HHS during the first half of the year was about 77% higher than the rate seen during the same period in 2018, which researchers attributed to the rise in hacking or IT incidents.
Overall, providers and business associates reported 235 breaches to HHS so far this year, or three times the amount seen in 2018.
The primary causes of these incidents are phishing, ransomware, and vulnerability exploits. For one, the FBI warned that the Conti hacking group had infected more than 290 global health care victims in the last year, through malicious links and attachments, or stolen remote desktop protocol (RDP) credentials. The group is one of the most prevalent threat actors in health care attacks.
Of the breaches reported to HHS, business associates, i.e. third-party vendors, were responsible for 52% of incidents for the third-straight year. Data show that 141 breaches were reported to HHS in the first six months of 2021 that involved business associates. In comparison, just 66 were reported to HHS in the last half of 2019.
In short, the “proportion of business associates impacted by hacking-related breaches has increased with time.” The SC Media roundup of the largest breaches during the first half of the year also showed vendors were the prime culprits, which included Accellion, Florida Healthy Kids, CaptureRx, Netgain, Personal Touch Holding, and a host of others.
The cause of the incidents varied by vendor, from misconfigurations to ransomware.
The incidents show “attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain,” researchers added. “As the digitization of healthcare records continues, organizations will need to layer cybersecurity best practices on top of an identity-centric security strategy to protect a growing attack surface.”
Best practice security recommendations
Researchers explained that the challenge will be managing vendor security and holding them accountable with the business associate agreement as required by The Health Insurance Portability and Accountability Act.
As threat actors continue to target and exploit the health care sector with ease, providers must adopt a more proactive stance to better defend the enterprise network. But the reliance on remote technologies, disparate systems, and legacy tech, alongside staffing shortages, means that providers must first better understand their risk posture and prioritize accordingly.
For Critical Insight, the biggest priority area should be to assess third-party vendor risk, by classifying business associates according to their risk level based on the type of data they’re allowed to access on the health care network.
To better support vendor management, providers should also establish measures or review current procedures to ensure there’s a clear line of ownership around vetting third parties. Once these priorities are established, the security leader can assess and inventory vendors accordingly then review the vendors with the highest risk scores and remediate issues.
As part of this process, business associate agreements should also be reviewed. Portions of BAAs are negotiable, and providers should fully detail all requirements for patient data, including what the vendor can or can’t do with protected health information.
Access controls are also crucial to defending against attacks like ransomware, which can better prevent attack proliferation across the network through connected devices once a foothold is established.
Both vendors and providers should prioritize multi-factor authentication, wherever possible. All identity and access management policies should be grounded in the principle of least privilege, with administrators enforcing strict access controls. These measures are crucial for the increasingly remote workforce and hybrid environments.
“Careful attention should be taken toward user provisioning and deprovisioning, password management, and the use of data encryption where appropriate,” researchers added. “Employees should be trained to be cautious and treat emailed links with suspicion. Beyond this human firewall should be a layer of security provided by a combination of endpoint and network security solutions.”
Providers can also review previous insights from Microsoft that detail needed measures specific to defend against preventable human-operated ransomware attacks.