Will 2022 Be the Year that Ends Data Breaches in Healthcare?
Post Summary
No, 2020 saw a significant rise in healthcare data breaches, with over 590 million medical records compromised since then.
Healthcare data breaches were projected to cost the industry $4 billion by the end of 2020.
Since 2020, the number of breaches has consistently exceeded 660 annually, with ransomware and phishing attacks being primary threats.
Healthcare organizations store sensitive patient data, making them lucrative targets for ransomware and data theft.
Organizations should adopt advanced cybersecurity frameworks like NIST CSF, implement AI-driven monitoring, and ensure compliance with HIPAA regulations.
Data breaches are expected to increase in frequency and sophistication, requiring proactive measures to protect patient data.
Healthcare is arguably one of our fundamental human rights. As such, we not only seek the best available care, but we must ensure our personal data be available and protected. Today more than ever, it’s imperative that Health IT leaders invest in security, perform regular cybersecurity risk assessments and strive for secure interoperability. The future of the healthcare infrastructure relies on organizations to continue to do everything they can to protect the confidentiality, integrity, and availability of their patients’ health information.
Unfortunately, the increasing number of healthcare data breaches continues to be at the top of the news. Healthcare continues to be a primary target for cybercriminals due to vulnerability and the high value of healthcare data. Healthcare data breaches leak patients’ HIPAA-protected confidential records, and millions of people are affected. Data breaches have a detrimental effect involving long-term financial consequences, disruption to patient care, a decline in hospital productivity, and worst-case scenarios, death of one’s loved ones may occur.
On December 2, 2021, The leading provider of commercial healthcare intelligence, Definitive Healthcare, released a study announcing the largest healthcare data breaches in 2020 and 2021. Annually, the compilation of the largest data breaches is posted by the Secretary of Health and Human Services (HHS) and consists only of breaches of unsecured PHI affecting 500 or more individuals. All data breaches of unsecured protected health information must be reported to all of the individuals impacted, HHS, and, in some cases, the press. This reporting is commonly referred to as the “wall of shame.” HHS only reports data breaches from the following types of organizations: healthcare providers, health plans, business associates, and healthcare clearinghouses.
This year through mid-October 2021, there have already been 543 healthcare data breaches affecting 36 million records. Chuck Brooks, global thought leader in cybersecurity and emerging tech, published a Forbes article relaying “more bad news in 2021, according to the Identity Theft Resource Center (ITRC), the number of data breaches publicly reported so far this year has already exceeded the total for 2020, putting 2021 on track for a record year.” Before this year, 2015 had more than 112 million records breached, affecting the largest number of individuals in several years.
Experts believe that the current surge in ransomware and data breaches within the public health sector results from the Covid-19 pandemic. In 2020, there was an increase of 150 data breaches from 2019, and “out of the 663 healthcare data breaches in 2020, the top twenty account for nearly half, or 16 million, of the 33 million total individuals affected. The largest incident compromised over 3.3 million records and five breaches affected over 1 million individuals each,” according to Definitive Healthcare. The common sources of 2020’s healthcare data breaches consisted of the following: network server breaches (43.0%), email (36.0%), paper/film (13.7%), EMR (5.0%), desktop (3.0%), other portable electronic devices (2.6%), and laptop (2.4%). Over two-thirds of these healthcare data breaches were caused by hacking or IT incidents, the most common type of breach. As the number of ransomware attacks caused by hacking or IT incidents increases, the number of breaches caused by theft, loss, and unauthorized access/disclosure decreases.
However, it’s not just about data loss. Several studies, including The Impact of Ransomware on Healthcare During COVID-19 and Beyond, published by Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy, suggest that ransomware attacks on healthcare delivery organizations may have a significant impact on care delivery, including increased mortality rates. This risk is an essential concern for IT and security leaders in healthcare because patients’ lives are at stake. As a result, the healthcare industry must continue to transform cybersecurity by implementing broader risk management programs and automation.
There is undoubtedly much more work to prevent cybercriminals from disrupting patient care and costing the healthcare industry billions of dollars. As this year comes to an end, how will your organization transform its cybersecurity and risk management processes, resources, and technologies to protect patient data and care in 2022?
Ed Gaudet
CEO and Founder, Censinet
Key Points:
Did 2020 mark the end of healthcare data breaches?
- No, 2020 did not mark the end of healthcare data breaches.
- Instead, it was a pivotal year with a significant rise in breaches, exposing over 590 million medical records since then.
- The year highlighted the vulnerabilities in healthcare cybersecurity, with breaches becoming more frequent and sophisticated.
How much did healthcare data breaches cost in 2020?
- Healthcare data breaches were projected to cost the industry $4 billion by the end of 2020.
- These costs included expenses related to:
- Data recovery and system restoration.
- Regulatory fines for non-compliance with HIPAA.
- Reputational damage and loss of patient trust.
What trends emerged in healthcare data breaches after 2020?
Key trends include:
- Increased frequency: The number of breaches has consistently exceeded 660 annually since 2020.
- Ransomware attacks: Threat actors increasingly use ransomware to disrupt operations and demand payments.
- Phishing and credential theft: These remain primary attack vectors for accessing sensitive data.
- Regional impact: Breaches often affect not just the targeted organization but also neighboring healthcare facilities.
Why are healthcare organizations targeted by cybercriminals?
- Healthcare organizations are lucrative targets because they store:
- Sensitive patient data, including medical records and financial information.
- Critical systems that, if disrupted, can delay patient care and create urgency for ransom payments.
- Cybercriminals exploit vulnerabilities in outdated systems and insufficient cybersecurity measures.
What measures can healthcare organizations take to prevent breaches?
To prevent breaches, healthcare organizations should:
- Adopt advanced cybersecurity frameworks like NIST CSF and HIPAA compliance standards.
- Implement AI-driven monitoring to detect and respond to threats in real-time.
- Conduct regular risk assessments to identify and mitigate vulnerabilities.
- Train staff on recognizing phishing attempts and other cyber threats.
- Invest in third-party risk management to secure vendor ecosystems.
What is the future outlook for healthcare data breaches?
Data breaches are expected to:
- Increase in frequency: As healthcare organizations adopt more digital tools, attack surfaces expand.
- Grow in sophistication: Threat actors are leveraging AI and advanced techniques to bypass traditional defenses.
- Require proactive measures: Organizations must prioritize cybersecurity investments to protect patient data and maintain operational resilience.
