Healthcare cyberattacks jumped 55% in 2020 and cost an estimated $13 billion, according to a report from cloud security firm Bitglass.
Hacking and IT incidents were the top sources of data compromise, causing two-thirds (67%) of all breaches, the IT firm reported. Unauthorized disclosure was the second leading cause at 21%, according to the data analyzed from the U.S. Department of Health and Human Services.
Among other key findings, the average cost per breached record rose to $499 from $429 in 2019. And in 2020, it took an average of 236 days for healthcare firms to recover from breaches.
“Each year since 2015, hacking and IT incidents have been exposing more records than any other breach type,” the Bitglass report said. “Additionally, the scales of these incidents have been increasing each year since 2018, suggesting that organizations are increasingly leaning on their IT resources, and criminals have been increasingly targeting them.”
California led the nation with 49 breaches, followed by Texas at 43, and New York at 39.
The HHS’s Office of Civil Rights maintains a count of reported healthcare breaches. The incidents keep coming. In January 2021, 32 events were reported, according to an analysis conducted by the HIPAA Journal.
One of the January breaches is among the largest healthcare data breaches of all time.
The breach reported by the Florida Healthy Kids Corporation, a health plan, actually occurred at one of its business associates. The third-party IT vendor did not patch its software vulnerabilities for seven years. That allowed unauthorized individuals to access sensitive data, including names, birthdates, and Social Security numbers.
Two recent high-profile announced hacks on software providers have renewed security experts’ fears of attacks on suppliers, according to reports.
In the SolarWinds attack, hackers inserted malicious code into one of the company’s software updates. Around 18,000 customers installed the tainted updates onto their systems.
A more recent hack compromised cloud solutions company Accellion’s legacy file-transfer service. A threat actor began exploiting vulnerabilities that have hit banks, universities, and other organizations worldwide.
The revelations underscore the challenge that organizations face in dealing with security issues. Not only do they need to focus on their security, but there’s potential exposure from countless third-party vendors.
In today’s interconnected world, organizations are only as strong as their weakest provider.
“It’s not realistic to not depend on any third parties,” Katie Nickels, director of intelligence at the security firm Red Canary told WIRED.
There’s no clear solution to the threats that third-party providers pose to organizations. Knowing all your vendors and what their products can access is a place to start assessing potential threats.
Nickels told WIRED if organizations had an asset inventory and a list of all the third-party vendors, “that in itself would be a great outcome” from the recent attacks.
Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.