Cyber attackers are targeting smaller providers and outpatient healthcare facilities

Cyberattackers eying small providers as easy victims

September 01, 2021
by John R. Fischer, Senior Reporter
Cyberattackers are shifting their focus more toward smaller healthcare providers, seeing them as easy targets.

Outpatient facilities, including family medicine and specialty clinics, were targeted almost as often as hospitals in the first half of 2021, while business associates like claims processors accounted for 43% of all healthcare breaches, according to a report by cybersecurity firm Critical Insight.

This, it says, is because smaller healthcare organizations usually use the same technology as larger hospitals, which makes them just as easy to attack. They also have less money to spend on security features, reports Healthcare Dive.

"As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain," said the report.

HHS reported 141 breaches, compared to just 66 in the second half of 2019, says the report. Breaches at healthcare facilities were significantly higher in the first half of the year, compared to the same time last year, and higher than any six-month period since 2018. HHS divides breaches into theft, improper disposal, loss, unauthorized access or disclosure, and hacking or IT incidents. Hackings and IT incidents took place nearly three times as often as in 2018, while the total number of breaches are twice as high as they were back then.

"This issue will only continue to grow and become more complex. We predict that there will be the most breaches ever reported in the second half of 2021. Shore up detection and response capabilities because it's not 'if' a healthcare facility or business associate will be breached, it's 'when'", Critical Insight told HCB News.

To address these issues, it recommends using periodic security training and onboarding to train staff; performing risk assessments or self-assessments to determine a budget needed to address these incidents; and outsourcing to detection and response providers to lower the impact of an incident and reduce time spent dwelling on the issue, as well as avoid hefty costs. "Pull all the right people into the room and discuss scenarios and practice your plan so you are prepared when something happens," said the company.

One hospital recently hacked was University Medical Center. REvil, a notorious hacker group, infiltrated one of its servers in Mid-June and later posted on its website images of Nevada driver's licenses, passports and social security numbers belonging to patients.

A recent report by credit rating agency Fitch Ratings said that cyberattacks can easily take a hit on a provider’s financial state, according to Healthcare Dive. For instance, the cost for recovering a patient record rose 16% from 2019 to 2020. An attack on Scripps Health in San Diego back in May played a large role in a $113 million loss it incurred for the quarter. The hackers got into Scripps Network in late April and deployed malware to exfiltrate copies of data. In response, the healthcare organization shut down its patient portals, email servers and other healthcare-related technology applications for most of May, as well as implemented emergency downtime procedures and switched to offline charts.

It now is facing a lawsuit from patients whose information was compromised. “That medical histories were accessed in this data hack makes this situation unique. Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here,” said Scott Cole, the principal attorney on the case.

Attacks can even occur from inside a healthcare facility. A man in Georgia, for instance, who worked as chief operations officer for a network security company was charged earlier this summer with launching an attack on Gwinnett Medical Center, which had hired him to provide cybersecurity protection. He was brought up on 17 counts of intentional damage to a protected computer.