Cybersecurity-as-a-Service provider, Critical Insight, has released its H1 2023 Healthcare Data Cyber Breach Report, providing analysis of data breaches reported by healthcare organizations to the U.S. Department of Health and Human Services (HHS). The report reveals key insights into the state of cybersecurity in the healthcare industry and the evolving tactics of cybercriminals.
One significant finding of the report is a decrease in the total number of breaches compared to the second half of 2022. This decline is a positive trend, considering the consistent increase in attacks over the past few years. The reduced number of breaches in the first half of this year suggests that the overall number may be lower for the entire year. This year is on track to record the fewest breaches since 2019 and experience fewer provider breaches compared to the previous three years.
However, despite the decrease in the number of breaches, the report highlights a significant increase in the number of individuals affected by breaches. Large-scale breaches have resulted in a record level of individuals affected in 2023. In the first six months of this year alone, the number of individuals affected reached 40 million, representing 74% of the total number of individuals affected in 2022. This surge in affected individuals underscores the severity and impact of these breaches on healthcare organizations and the broader population.
The report also analyzes the causes of data breaches in the healthcare industry. Hacking and IT incidents were the primary cause, accounting for 73% of breaches in the first half of 2023. Unauthorized access and disclosure were the second-most prevalent breach type. Other factors such as theft, lost records, and improper disposal were relatively insignificant contributors to data breaches.
In terms of entry points for hackers, the report highlights a shift in tactics towards targeting network server vulnerabilities. Network server breaches accounted for a staggering 97% of individual records affected, while only 2% can be attributed to email breaches. This shift in tactics emphasizes the need for healthcare organizations to prioritize the protection of their network infrastructure to mitigate the risk of breaches and unauthorized access.
Furthermore, the report reveals an alarming increase in breaches associated with third-party business associates. Hackers have intensified their attacks on these associates, which offer services to healthcare organizations. Of the 40 million exposed records, 48% were linked to business associates, while 43% were associated with healthcare providers. This shift in focus underscores the importance of effective incident response planning and proactive defense strategies within the supply chain. Healthcare organizations must remain vigilant and prioritize the security of their partners and suppliers to prevent breaches and mitigate risks.
To adequately prepare for future cyber threats, the report recommends several measures for organizations. First, organizations should invest in incident response planning and conduct a risk assessment based on the NIST Cybersecurity Framework (NIST-CSF). This approach helps build a multi-year strategy to address cybersecurity vulnerabilities effectively. Additionally, organizations should prioritize cybersecurity hygiene for critical partners and suppliers to maintain a secure environment. Robust focus on safeguarding third-party vendors, business associates, and suppliers from vulnerabilities is crucial. Finally, organizations should seek support from their board and emphasize the critical impact of investment in cybersecurity measures.
Overall, the H1 2023 Healthcare Data Cyber Breach Report by Critical Insight provides valuable insights into the current state of cybersecurity in the healthcare industry. The report highlights the evolving tactics of cybercriminals, the increasing number of affected individuals, and the critical need for proactive defense strategies and incident response planning. Healthcare organizations must remain vigilant and take proactive measures to protect their systems, partners, and the sensitive data of their patients.