Healthcare industry most common victim of third-party breaches, Black Kite finds

Dive Brief:

• The healthcare industry was the most common victim of third-party breaches in 2022, accounting for almost 35% of all incidents — up from 33% in 2021, according to a new report.
• The data from cyber risk intelligence firm Black Kite indicates cyberattackers’ continued focus on the sensitive personal health information and vulnerability of healthcare systems struggling from the COVID-19 pandemic, researchers said.
• The report comes days after the HHS alerted the sector to a pro-Russian hacktivist group called Killnet, which recently updated its target list to include hospitals and medical organizations in several countries.

Dive Insight:

Black Kite’s breach report illustrates the healthcare industry’s susceptibility to cyberattacks, with researchers noting the sector’s poor cyber posture in today’s era of interconnected health information systems, combined with new threats like Killnet, creates a bleak outlook for 2023.

The firm analyzed 63 third-party incidents, which ultimately resulted in roughly 300 publicly-disclosed breaches and data leaks in the past year. Their findings solidify that the healthcare industry is at the highest risk for breaches stemming from a third-party vendor.

However, the gulf between the number of breaches in healthcare and those in other industries has grown due to huge amounts of data piling up up in healthcare organizations during COVID-19 and attracting bad actors, the report said. In addition, the proliferation of vendor agreements between companies like hospitals and payers and third parties like debt collectors and outpatient providers means that breaches at those third parties can ripple across the system, compounding the number of victims in a phenomenon cyber experts call “cascading risk.”

Overall, although the number of third-party breaches decreased compared to last year, the individual effect of each breach nearly doubled, according to Black Kite.

”Lack of budget, remotely shared personal data between patients and hospital systems, and outdated software all point to avenues for hackers to infiltrate and gain access to health-related sensitive data. That’s why, again this year, the most affected sector has been healthcare,” the report said.

In March, a data breach at medical imaging and outpatient surgical services provider Shields Health Care Group exposed the data of 2 million New England patients who received care at about 60 facilities affiliated with Shields.

One month earlier, a ransomware attack hit debt collections agency Professional Finance Company. The vendor later disclosed the event affected more than 1.9 million patients across more than 650 of its healthcare provider clients.

Other third parties including eye care management software provider Eye Care Leaders, patient care guidelines provider MCG Health and health tech company Omnicell were all also hit by breaches last year.

The threat of cyberattacks has become more severe for healthcare companies, as attacks advance in aggression, complexity and volume, resulting in a number of other high-profile breaches last year at hospital giants like Tenet and CommonSpirit. Cybersecurity typically isn’t a priority in hospital IT budgets, making up just 6% or less of IT spending, by one estimate.

In addition, cyber threats are mounting from international events like Russia’s invasion of Ukraine. Killnet, which has targeted the U.S. healthcare industry in the past and is actively doing so again, is known for its campaigns against countries supporting Ukraine, according to the HHS’ cybersecurity center.

Currently, Killnet’s target list includes about 150 hospitals, mainly in Europe and the U.S., according to Black Kite.