Cybercriminals seeking to obtain sensitive health information are increasingly targeting vulnerable providers to bypass protections that healthcare providers, Insurance companies and other organizations have set up to protect patient data.
As health care organizations often exploit third-party vendors to handle business functions, cybersecurity experts warn that they are creating opportunities for hackers. Vendor data breaches, which fall under the category of business affiliation on the Office of Health and Human Services’ Civil Rights infringement portal, have increased in number and size over the past five years.
As of November, there were 116 breaches reported against business partners affecting 17.7 million patients. These account for 17.5% of healthcare violations but 36.1% of patients had their data exposed this year. There were only 40 breaches that hit business partners, involving 5.9 million patient data, during the same period in 2018.
Jeff Krull, a partner in cybersecurity operations leadership at consulting firm Baker Tilly, said hackers see the data that vendors own as a “treasure”.
Instead of breaching an organization’s data, criminals can obtain data from a variety of health providers and plans including patient names, addresses, Social Security numbers, treatment information, and prescriptions. medicine. The cyber attack on the OneTouchPoint printing and mailing service, discovered in April, involved more than three dozen providers and insurers, including Humana, Kaiser Permanente and several Blue Cross and Blue Shield, affecting more than 4 million patients simultaneously—making it the largest healthcare service The attack was reported this year.
“If a threat actor can determine that a provider is working with 10 or 12 hospital systems and healthcare plans, they make a very high value target,” says Alexander Urbelis , a senior advisor at law firm Crowell & Moring, the expert said. in identifying cybersecurity threats.
Why now?
Health systems are increasingly using providers to achieve financial, operational and clinical practice, especially in the context of workforce shortages.
“They may not have the human resources or internal human capital to influence certain business processes,” says Riggi. Large medical systems can rely on thousands of providers for administrative services, including payroll and electronic health records, as well as software that runs medical devices such as X-ray machines and equipment X-ray.
Stressed supply chains and financial problems at hospitals, exacerbated by the COVID-19 pandemic, are prompting them to contract with suppliers. “You might be looking to outsource some of the things you did in-house before to save some money,” says Krull.
These broader circumstances make it harder for healthcare organizations to invest in stronger security measures, says Krull. “It really created this perfect storm,” he said.
While healthcare companies are strategically looking for contractors to improve business operations and clinical services, relationships with other providers are falling into their laps as expanded health system. “If there’s a merger or acquisition, you take on not only that entity but all of their relationships,” Riggi said.
However, health systems may choose to hire providers to perform tasks such as testing patients even if they know that the contractor lacks robust cybersecurity measures if they conclude that the results are inadequate. The patient outcome outweighs the risk, says Krull.
Attacks involving insurance companies occur less frequently than attacks on providers. Because they don’t have patients coming in and out, insurance companies can operate more like self-contained businesses. and tightly control who has access to information, Krull said.
