Organizations that handle healthcare data relating to US citizens must report any data breaches to the US Department of Health & Human Services (HHS). The reporting is done via a web portal and must be within 60 days for breaches that expose more than 500 records, or as part of the end-of-year reporting for breaches under 500.
The data collected by HHS on breaches with over 500 records are publicly available on their website — commonly known as the "Wall of Shame." Twice a year, Critical Insightanalyzesthe latest breach data from HSS, and then we publish a report with our findings. The latest report for 2021 H1 is now available. It contains valuable insights on cybersecurity trends within the healthcare sector. The report includes:
An analysis of the reported breaches.
What the data shows about the evolution of cybercriminal tactics.
Steps to take to prevent attacks from succeeding and how to respond to a breach in your organization.
Our predictions on how the cybersecurity threat to healthcare providers will develop over the coming months.
Industry Response to the 2021 H1 Healthcare Data Breach Report
The focus on cyberattacks targeting critical infrastructure, which includes healthcare delivery, is currently high on the agenda of the Government and most organizations. The 2021 H1 Healthcare Data Breach Report has attracted much attention and reporting in the cybersecurity and healthcare IT press. This is gratifying as it means that cybersecurity in this area is on people's radar.
Below we highlight ten press responses to the report. Feel free to reach out to us via theCritical Insight contact pageif you want to discuss any points raised by the report or the webinar. Or for expert advice on how to protect your critical infrastructure from cybercriminals.
The HealthITSecurity site had two articles in response to the report. In the first, they covered the findings along with broader cybersecurity trends. They conclude their article with the following paragraph, which is good advice:
“The report advised healthcare entities to assess third-party risk, regularly review business associate agreements, and implement strict access controls. Considering the growing number of cyber threats, healthcare providers must ensure basic cyber hygiene to avoid becoming the next name on HHS’ data breach portal.”
The second HealthITSecurity article that mentioned the report was a news post about an Illinois-based medical consultancy group informing 171,000 of their patient clients that their data was compromised. They use the Critical Insight report to highlight the widespread nature of cyberattacks against healthcare organizations.
Security Magazine provides security industry news across both cybersecurity and physical security. They outlined the findings from the report and that there is a general upward trend in breaches reported by healthcare providers.
The HIPAA Journal aims to provide the most comprehensive coverage of HIPAA news online. They deliver independent advice about HIPAA compliance and the best practices to avoid data breaches, violations, and regulatory fines. Readers of the HIPAA Journal are right in the wheelhouse of the target audience for whom we publish the Healthcare Data Breach Report. It's good to see the report being picked up and flagged to their audience.
SC Media is a popular online news and analysis resource for cybersecurity professionals. They covered the findings in the Critical Insight report in depth. Also, they compared them to similar vendor-related vulnerability findings that SC Media reported in their own analysis of 2021 cybersecurity attack data.
The Fierce Healthcare website delivers healthcare news at the intersection of business and policy. Their article summarizing the report goes into detail, with numerous examples of recent breaches, and includes comments from Vivian Zhou, the Critical Insight Healthcare Program Manager, and a lead author on the report.
The HealthcareInfoSecurity site chatted with John Delano, a regional CIO at AdventHealth hospital group and a healthcare security strategist for Critical Insight. In the 12-minute chat, the Critical insight report gets discussed in the widerhealthcare cybersecuritycontext. John says in the conversation that -
"It takes a lot of time and effort to not only extend your security posture beyond your own four walls, but then when you have to look at the hundreds or even thousands of vendors and third-party folks who have access to your data, it can be overwhelming, but you have to make it a priority … to categorize your data and understand who has access to the most critical data - and ensure that [vendors are] taking appropriate steps to meet your security requirements … and to secure that data if it leaves your premises."