While the volume of data breaches targeting the healthcare industry slid again in the second half of 2022, a closer look shows that current breach numbers are still higher than pre-pandemic levels, according to a new report by Critical Insight, a cybersecurity-as-a-service provider.
Healthcare Attacks Decline
While the good news is that over the last two years the number of data breaches hitting healthcare facilities has steadily declined, 35% more individuals have been victimized and supply chain infections have increased, particularly affecting electronic health record (EHR) systems.
The Seattle-based Critical Insight’s new H2 2022 Healthcare Data Breach Report analyzes breach data that healthcare organizations have reported to the U.S. Department of Health and Human Services.
Commenting on the findings, John Delano, Critical Insight healthcare cybersecurity strategist and vice president at Christus Health, said:
"As the healthcare industry continues to face a rapidly evolving threat landscape, it's crucial for organizations to stay ahead of the curve and stay prepared. Our latest H2 2022 Healthcare Breach Report highlights the shifting tactics of attackers, who are now targeting smaller entities with weaker cyber defenses."
Key Findings From the Report
Here are some of the study’s key findings:
- Total breaches dropped 9% between the first six months of 2022 and the year's second half, declining since the height of the pandemic from 393 breaches in the second half of 2020 to 313 in 2H 2022.
- The number of individual records exposed by breaches spiked by 35% in the second half of 2022 to hit 28 million. Fewer but more significant breaches reflect consolidation within the industry and the evolving tactics of attackers.
- Healthcare organizations have done an excellent job of shoring up their policies around handling and storing medical records. Hacking accounted for 79% of all incidents and 84% of individual records exposed in 2022.
- The number of individuals affected per unauthorized access/disclosure breach spiked from 5,700 in the first half of 2022 to over 143,000 in the second half. By comparison, the average number of individuals affected per hacking breach grew from 73,900 to 87,000 in 2022.
- Attackers continue to hit hospitals but have found increasing success targeting business associates and third-party vendors, such as electronic medical record providers, lawyers, accountants, billing companies and medical device manufacturers.
- More records were exposed in the second half of 2022 due to breaches at business associates (48%) than actual healthcare providers (47%).
- Attacks against EMR systems, which were nearly non-existent in past years, spiked to 7% in the first half of 2022 and 4% in the second half of 2022. For the full year 2022, EMR-related breaches accounted for six million individual records exposed.