As hospital systems become more hardened to cyber-attacks, cyber criminals are focusing their efforts on smaller providers, such as outpatient clinics, specialty clinics and business associates, according to a report by Critical Insight.

The report states that “Data on cyber-attacks from the first half of 2021 shows criminals are changing targets within the healthcare ecosystem, with breaches increasing for outpatient facilities and business associates. The data also shows some long-term trends continuing, with overall attacks on an upward trend.”

Analyzing data on the Department of Health and Human Services’s breach reporting website, the report states that “more than 70% of the breaches reported during the first six months of 2021 were classified as a ‘hacking/IT incident….Outpatient facilities, including family medicine and specialty clinics, were a common source of data breaches, and business associates were heavily targeted as well.”

Key findings of the report show:

  • Breaches up nearly 2x since 2018 and on an increasing trajectory;
  • Increase in breaches attributed to hacking/IT incidents, with the number of hacking/IT incidents up over 3x since 2018 and on an increasing trajectory;
  • Business Associates now account for 43 percent of all health care breaches, the continuation of a three-year upward trend; and
  • Outpatient facilities and specialty clinics were breached nearly as much as hospitals in H1 2021.

The message is clear that threat actors are shifting their targets to smaller entities that may not have sophisticated security measures in place to defend themselves against attacks and these attacks have been successful. The trend is alarming and worthy of attention for smaller healthcare entities and business associates.