The healthcare industry has been struck by a spate of massive cyberattacks, as hackers increasingly target vendors.
Ransomware attacks at revenue-cycle management vendor Practice Resources and accounts receivable management firm Professional Finance Company possibly exposed data on 942,138 patients and 1.9 million patients, respectively. A cyberattack at OneTouchPoint, a vendor that offers printing and mailing services, possibly compromised data on nearly 1.1 million patients.
It’s part of a growing tendency for hackers to target companies that provide technology and services to multiple healthcare organizations, said Michael Hamilton, founder and chief information security officer at Critical Insight. That approach can yield more stolen records than targeting healthcare providers individually.
Companies that handle patient data on behalf of healthcare providers and insurers—known as business associates under the Health Insurance Portability and Accountability Act—accounted for 14.5% of healthcare breaches reported in the first half of 2022, but 22.9% of compromised records, according to a report Critical Insight, a cybersecurity company, released Wednesday. That's up from just a couple of years ago. In the first six months of 2019, business associates accounted for 10.3% of healthcare breaches.
“There is more of a focus on the service providers, the third parties—the organizations that have lots of records in one place,” Hamilton said.
The average number of individuals with data compromised in a breach at a business associate is 97,000, compared with 59,000 for providers, according to the report.
Providers accounted for 73.5% of breaches and 70.4% of compromised records in the first half of 2022, and insurers accounted for 12% of breaches and 6.7% of records. Breaches at providers have trended downward, according to the report. Providers reported 238 breaches in the first half of the year, compared with 269 breaches in the year-ago period.
“If I get access to a third-party, all of a sudden I can send email as that third-party—it’s trusted,” Hamilton said.
Email phishing—in which a hacker poses as a legitimate source, such as an employee’s manager or a vendor sending a contract—has been a major source of healthcare breaches for years.
But phishing emails targeting healthcare providers have become more sophisticated, said Christopher Plummer, cybersecurity architect at Lebanon, New Hampshire-based Dartmouth Health. Hackers are tailoring the content of such emails to the organization they have their eye on, such as by referencing software products used at the health system.
“These are clearly not generic phishing templates that are being used against us,” Plummer said. “This is someone who’s done homework.”
Once a hacker infiltrates a system, they might not deploy malware immediately. They might spend months trying to access connected systems, until they reach the most sensitive data.
Hospitals frequently are threatened with $250,000 to $500,000 ransom demands after a ransomware attack, according to a report from cybersecurity company Cynerio.
A data breach can cost healthcare organizations $10.1 million, including the costs related to detection, response and possible lost business, according to a report from IBM. That’s more than any other sector. Breaches at financial organizations—the second hardest-hit industry—cost $6 million per breach.
Healthcare organizations historically have been urged to back up data systems, so they can restore information if it’s encrypted by ransomware.
But cybercriminals have found ways to circumvent those precautions.
There’s been a rise in attackers extorting organizations by stealing patient records and threatening to post or sell the information on the dark web if the hospital doesn’t pay a sum, said Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society. That may be coupled with encrypting a hospital’s IT systems, in a ransomware tactic called "double extortion."
“This pressure is given so that folks don’t, for example, try to restore from clean backups,” Kim said.
Hamilton said he’s also seen hackers post records online and say they’ll only delete the information in exchange for payment.
In both of those cases, he said hospitals should involve law enforcement and their cyber-insurance provider upon learning of the breach. Organizations do sometimes pay, but it's discouraged.
It's “always a roll of the dice,” he said of paying cybercriminals, noting they might choose to sell the stolen data even if they are paid.
This article has been updated. An earlier version gave an incorrect title for Lee Kim.