Third-party vendors and HIPAA business associates remain one of the biggest risks for healthcare data breaches according to a recent report about breaches in 2022.
The annual Breach Barometer report from Protenus and DataBreaches.net never disappoints. The researchers always find something new, write about it in an interesting way, and help us shape strategies to prevent or reduce healthcare data breaches. This year is no exception.
The report takes a broad approach and looks at breaches reported from both HIPAA and non-HIPAA entities that involved medical data or health insurance information on employees or patients.
“This retrospective report examines the extent of all known health data breaches in 2022, going beyond those that are reported to the government to provide the most complete picture possible — though gaps in detection and reporting mean the true impact of incidents is likely even greater. The analysis also explores preventative actions in the hopes of enabling healthcare organizations to take more effective, proactive postures going forward.”
The researchers looked at 956 health data breaches reported to HHS, the media, or some other sources such as state regulators during 2022. The number of patient records breached increased 18% over 2021, while the number of breaches increased by only 5%, meaning that more of those breaches contained larger numbers of patient records.
Business Associates Continue to be a Major Source of Data Breaches in Healthcare
Business associate-related incidents accounted for 49% of all breached records during 2022, up from 42% in 2021. Ransomware actors have realized that business associates hold massive amounts of protected health information (PHI), so one attack on a business associate can yield far more data than one attack on a single covered entity.
Insider Incidents Account for More than 1 in 10 Healthcare Breaches
The number of insider incidents has remained roughly the same for three of the past four years – the exception was in the midst of the pandemic, 2020, when the number spiked.
Keep in mind, these include both intentional acts and errors.
The report’s authors “believe insider behavior is vastly underrepresented in breach reporting — for example, if a healthcare employee is tricked into clicking a malicious link in a phishing email which allows hackers to seize millions of patient records, the incident will be reported as a ransomware attack but it couldn’t have happened without insider error.”
Hacking Continues to do Enormous Damage
The number of hacking incidents has grown each year for seven consecutive years. Hacking, which includes ransomware/malware, phishing/email intrusions, or other kinds of attacks by external actors, accounted for approximately 75% of all reports compiled and 86% of all reported breached records.
Ransomware groups are growing and continue to threaten healthcare. The report cites a number of reasons for this, including:
“…healthcare organizations’ vast amount of valuable patient data; typically widely-dispersed IT footprint; large and difficult-to-manage EHR systems (with huge files for X-ray and CAT scan images that can be cumbersome to back up); willingness to pay ransoms to recover PHI because it’s essential for operation; hackers’ perception that hospitals and health systems are short on cybersecurity resources and their exploitation of the heavy workload on healthcare employees due to the staffing crisis.”
The report contains a fascinating summary of an interview with two active (unnamed) ransomware groups, lending rare insights into their motivations and techniques.
Increase Privacy Protection with HIPAA Compliance
The number one defense against a healthcare data breach is a strong HIPAA compliance program. The annual HIPAA risk analysis shows where the gaps are, with concrete steps for improvement to better manage risks to PHI. HIPAA compliance also requires staff training and business associate due diligence. It requires a security risk assessment to strengthen cybersecurity protections.
The Breach Barometer report contains reminders of how things can go wrong and data can be lost, but breaches are not inevitable. You can act now to reduce your chances of experiencing a breach. You don’t have to become a statistic in the breach report. Use HIPAA to strengthen your defenses.