Cyber Actors Target Outpatient Facilities More Regularly Than Hospitals

by | Sep 7, 2021 | Compliance News

A new evaluation of breach reports filed with the Department of Health and Human Services’ Office for Civil Rights has pointed out that outpatient facilities and specialty clinics were targeted by cyber threat actors with greater frequency than hospital systems in the first half of 2021.

Critical Insight Researchers revealed in their 2021 Healthcare Data Breach Report that cyber threat actors have modified their targets within the healthcare eco-system and are right now paying attention to outpatient facilities and business associates more regularly than hospitals and health insurance providers.

Though sizeable health systems are obviously interesting targets for cybercriminals, smaller healthcare institutions normally have weaker security protection and may be attacked with less effort and are quick targets for hackers. The probable earnings from the attacks could be smaller, nonetheless so too are the efforts to acquire access to their sites and sensitive records.

Hackers are expressing interest on electronic protected health information (ePHI) considering that it is worth much greater than a credit card number or social security number. Scammers can generate income from it in a multitude of ways, from offering it on the dark web to processing bogus insurance claims. It won’t help that numerous health companies employ devices that run on operating systems that are out-of-date, and lots of devices were not made with cybersecurity involved.

The researchers established that healthcare data breaches are these days taking place at nearly twofold the level of 2018, with data breaches ascribed to hacking and IT incidents transpiring at pretty much thrice the level of the first half of 2018. In the first 6 months of 2021, 70% of all healthcare data breaches with 500 or more records that were filed with the HHS’ Office for Civil Rights were hacking/IT cases.

There is actually a moderate decrease in the number of data breach reports from the last 6 months of 2020, nevertheless, that doesn’t show cyberattacks are decreasing, as in the last half of 2020 the breach reports sent to the HHS’ Office for Civil Rights involved a lot of breach notices submitted by institutions affected by the data breach that happened at business associate Blackbaud. The number of reported breaches in the initial half of 2021 is more than the first 6 months of last year, and it seems like the direction of escalating numbers of data breaches being reported each and every year will continue.

There has been a serious growth in the number of cyberattacks on business associates of HIPAA-covered entities, which currently equals 43% of all healthcare data breach reports. In the first half of 2021, there were 141 data breaches documented by business associates of HIPAA-covered entities. In comparison, there were merely 66 data breaches reported by business associates in the last 6 months of 2019. As these and other third-party breaches are being reported, it proves that attackers are paying more interest to this ecosystem of companies as an insecure link in the cybersecurity cycle.

Cybercriminals are less likely to cease attacking healthcare companies because the attacks are lucrative. It depends on healthcare institutions and their business associates to boost their defenses against cyber actors. The Critical Insight researchers have created various advice, which includes examining third party risk more precisely, consistently going over business associate agreements and making certain they clearly specify roles and obligations, carrying out more detailed protections against ransomware and phishing attacks, building up access controls, and doing basic security hygiene.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy