Breach, Data Security, Threat Management

Report: Cyberattacks drive 185% spike in health care data breaches in 2021

More than 22.8 million patients have been impacted by a health care data breach so far in 2021, a whopping 185% increase from the same time period last year where just 7.9 million individuals were affected according to a new report from Fortified Health Security.

Malicious cyberattacks caused the majority of these security incidents, accounting for 73% of all breaches. Unauthorized access or disclosure accounted for another 22%, and the remaining 5% were caused by smaller thefts, losses, or improper disposals.

Further, the number of breaches reported to the Department of Health and Human Services during the first six months of 2021 increased by 27% year-over-year. Health care providers accounted for the most breaches with 73% of the overall tally, compared to health plans with 16% and business associates that accounted for 11%.

“Healthcare organizations have literally hundreds of electronic entry points into their data networks, everything from EHRs, radiology and lab systems, to admission, discharge and transfer systems, to supply chain ordering and internet-enabled medical devices — and any one of these could be the Achilles’ heel exploited by a bad actor,” the report authors wrote.

Fortified Health has released horizon reports for the last four years, and the latest analysis provides an update to its first 2021 report released in January, as well as supportive guidance for health care entities. To compile the new report, researchers analyzed a cross-section of data, expertise, and statistics.

The report sheds light on the increase in critical infrastructure and supply chain attacks, which found more than 9 out of 10 U.S. organizations suffered a breach in the last year due weaknesses in their supply chain.

The pandemic also contributed to some of the continued breach incidents, as many entities rapidly deployed remote environments for non-patient-facing workforce members. Thus, the attack surface has equally expanded, including moving private records and data from outside the walls of the hospitals.

Estimates show cybercrime will cause $6 trillion in global damages this year and is predicted to reach $10.5 trillion, by 2025, a 75% increase.

The data supports a June Avanan report, which confirmed health care has been among the most targeted with phishing attacks during the first half of 2021, alongside the IT and manufacturing industries. The health care sector saw over 6,000 phishing emails out of an average of 451,792 emails.

Avanan compiled the report by analyzing more than 905 million emails over a six-month period, focusing on emails its security tools did not quarantine. The data showed impersonation and credential harvesting attempts remain the leading phishing vectors.

Credential harvesting attempts account for 54% of all phishing attacks, an increase of nearly 15% when compared with data from 2019. Another 20.7% of all phishing attacks were business email compromise attempts, and just 2.2% were attributed to extortion.

A little more than half of all impersonation emails targeted non-executive employees, and Avanan found these workforce members are targeted 77% more often than executives. Avanan researchers predict these attacks will continue to surge throughout the year, with the education and health care sectors the most likely to be the hardest hit.

“Now as the healthcare industry gets some breathing room from the pandemic, another one is surging – cyberattacks,” Dan L. Dodson, Fortified Health Security CEO, said in a statement. “The attacks on our nation’s critical infrastructures, which includes our hospital systems, has resulted in government agencies showing a renewed focus on cybersecurity.”

“This has helped move cybersecurity to the forefront of many boardroom discussions,” he added. “We, as healthcare leaders, must seize this opportunity to educate and inform stakeholders on the current cybersecurity threat landscape and the actions needed to combat these attacks.”

The Fortified Health report is meant to support health care covered entities in light of the ongoing threats and the rise in data breach numbers. In particular, the report stressed that providers are facing greater liabilities in light of the sophisticated threat landscape.

Researchers provided organizations with a number of recommendations to support system reviews and mitigation measures with a keen focus on proactive security measures, including security tools that enable early detection.

As noted, understanding the scope of devices and how the systems communicate is always the first step on identifying potential security gaps in the health care environment. Given the vast number of devices and connections, researchers stressed the need to adopt automated tools able to effectively carry out this crucial task.

Other key security elements include the development, implementation, and routinely practiced incident response plan, alongside employee security training and education, risk assessments, and limiting user access to areas only needed for their job function.

For those entities struggling with limited resources, Fortified Health recommends the use of outsourced cybersecurity monitoring and remediation efforts.

Lastly, the report warns entities not to rely on cyber insurance as the rates have skyrocketed in response to the rise in ransomware attacks. Some insurers are also jacking up the cost of deductibles and limiting the types of entities they’re willing to insure. The Government Accountability Office warned all private sector entities of this insurance shift in May.

“Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities,” the report attributed to the Council of Insurance Agents and Brokers, Marsh McLennan, and AM Best, at the time.

“These sources noted the contraction has resulted from factors that include increasing losses from cyberattacks, the threat of future attacks, and overall insurance market conditions,” it added. “Insurers have become more selective in extending coverage to high-risk entities and industries and increasing prices of coverage they offer.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.