Providers are the most common targets for cyber criminals leveling attacks against the healthcare industry, with data breaches at provider organizations accounting for 79% of all those reported to the Department of Health and Human Services in the first 10 months of 2020, according to a new report from cybersecurity firm Fortified Health Security.
Though the Covid-19 pandemic grabbed most headlines in 2020, patient data breaches, hacking incidents and IT shutdowns continued, providing several cautionary tales for the healthcare industry. From the malware attack that shut down 26-hospital Universal Health Services’ IT systems in September and October to an email hacking incident that exposed the information of close to 500,000 Aetna health plan members, stronger cybersecurity defenses are the need of the hour for healthcare entities nationwide.
From January to October last year, 513 healthcare organizations reported a breach of 500-plus patient records to the HHS’ Office for Civil Rights, which impacted about 23.5 million individuals, according to the Fortified Health Security report. The number of reported breaches jumped 18% from 435 breaches reported in the same period in 2019. The report gathered data and information from several sources, including the Office for Civil Rights.
Of the 513 reported breaches, 404 occurred among providers, affecting approximately 13.5 million patients. This represents a 20% jump from January to October 2019, during which time 338 providers had reported breaches. Among health plans there was a 4% decrease during the same time period, with 49 payers reporting breaches in 2019 compared with 47 last year.
“The shift to work from home and increase in telehealth use has taken a toll on overall security by creating an increased attack surface for cybercriminals,” the report states.
Hacker or IT incidents remained the leading cause of breaches in first 10 months of 2020, rising 8% over the same period the year prior. In 2020, hackers caused 69% of all breaches, up from 61% in 2019. Unauthorized access is the second leading cause, accounting for 20% of breaches in 2020.
Further, the report shows that attacks on network servers are on the rise, increasing from 23% in the period from January to October 2019 to 35% in the same period last year.
The consequences of patient data breaches do not end with IT implications alone, however. Healthcare organizations must also contend with investigations conducted by the HHS’ Office for Civil Rights.
In the first 10 months of last year, the Office for Civil Rights reached 11 resolution agreements with healthcare organizations. Each agreement included a fine averaging just under $900,000 and a multi-year corrective action plan requiring the organization to improve its cybersecurity program.
With eyes turned to 2021, cybersecurity continues to be a key strategy area for healthcare organizations. The threat of cyber crime is alive and well, a fact underscored by the advisory released last October by the Federal Bureau of Investigation, along with two other federal agencies, warning of an “imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.”
Photo credit: Rawpixel Ltd, Getty Images, Fortified Health Security