Fewer breaches, more victims: Health systems face evolving threats from cyberattacks

The number of healthcare data breaches is on pace to be the lowest since 2019, a new cybersecurity report suggests.

But the good news only goes so far. In fact, the number of people affected by health data breaches is poised to surge past previous years, according to a new report issued Tuesday morning by Critical Insight, a cybersecurity firm.

In the first half of 2023, 40 million Americans were affected by health data breaches, according to the firm’s analysis of federal data. By comparison, a record 58 million people were impacted by breaches in all of 2021.

“Certainly the more concerning piece of that is, the number of records impacted is increasing,” says John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at CHRISTUS Health.

In the first six months of the year, there were 308 healthcare data breaches, compared to 349 in the first half of 2022 and 367 in the first half of 2021, Critical Insight said in the report. The firm analyzed data from the U.S. Department of Health and Human Services.

• Read more: Here are the 10 biggest data breaches in the first half of 2023

Mike Hamilton, chief information security officer of Critical Insight, explains that the bigger number of victims, even with fewer attacks, is an indicator that attackers are being more shrewd.

“What seems to be going on is better targeting by criminals,” Hamilton says. “I mean, these are basically illegal corporations, and they need to minimize risk, maximize their return on their effort.”

(See part of our cybersecurity discussion with John Delano and Mike Hamilton in this video. The story continues below.)

To be sure, plenty of hospitals have seen attackers infiltrate their systems so far this year. More ransomware attacks have been reported at hospitals in recent months, industry analysts say.

• Read more: Paying the ransom: A special report

Some hospitals owned by Prospect Medical Holdings were hit by a cybersecurity attack, requiring some services and procedures to be delayed. HCA Healthcare disclosed a data breach in July that affected as many as 11 million patients. The large, for-profit system said the breach appeared to be the result of a theft from an external storage location used to automate the formatting of email messages.

However, cybercriminals are increasingly showing interest in going after electronic medical records. And they are finding they don’t have to go to health systems to get access to patient records.

In fact, cybercriminals are getting records - and affecting hospitals and health systems - by targeting insurers or other key vendors, experts say.

“They're going after EMRs, rather than individual hospitals,” Hamilton says. “They're going to a hospital chain, or a service provider that serves up records, so that, you know, they can minimize that effort. And they're starting to be very successful doing this.”

A cyberattack on MCNA, a dental insurer, affected more than 8.8 million Americans, according to the health department. A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March, and the breach has affected more than 5.8 million Americans.

Attackers are also increasingly going after network vulnerabilities, Hamilton says.

“There's been a significant change in tactics,” he says.

When software vulnerabilities are announced, Hamilton says, “criminals, nation-states, everybody goes to work, reverse engineering the patch, so that they can develop the exploit, scanning the internet to find the exposures and then taking them over.

“And that's starting to happen very quickly, every time a vulnerability is announced,” Hamilton says. “So this change in tactics really, I think, is a message to covered entities, mainly about vulnerability management and getting a lot better at it.”

• Read more: Protecting patients during cyberattacks

About two-thirds (65%) of the breaches in the first half of the year involved healthcare providers, while one in five (21%) affected business associates, and 14% affected health plans, according to the Critical Insight report.

However, those attacks on business associates are proving fruitful. About 19.5 million records were accessed from business associates in the first half of the year, and that accounts for about half of all the records breached.

While health organizations are investing more on cybersecurity and doing more training, Delano says health systems need to continuously work at cybersecurity in the face of emerging threats.

“I've always viewed it as a cat-and-mouse game,” Delano says. “You know, you're always having to learn how to build a better mousetrap. So as defenses increase, the criminals get smarter … Healthcare organizations have to be right all the time. It only takes being wrong once to be affected by a breach.”

Hospitals are also challenged by the number of legacy applications that they have, Delano says. As hospitals work around the clock, it’s not easy to address vulnerabilities, he says.

“It's very difficult to take these systems down to patch them,” Delano says. “When you've got hundreds or thousands of applications that are constantly needing to be updated … it can be very disruptive. So I think organizations have to get better at getting those patches in, in a more timely manner.”

Cybercriminals are finding more undiscovered vulnerabilities, referred to as “zero day” events, and exploiting them, Hamilton says.

“That means one of two things,” he says. “They are really investing in researchers to develop ‘zero day’ exploits, or there is some collusion with nation-states who have a stockpile of those things. And I'm not sure which one of those I believe, but that's a bad situation.”