Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.
As healthcare organizations more commonly tap third-party vendors to handle business functions, cybersecurity experts warn they’re creating opportunities for hackers. Data breaches of vendors, which fall under the business associate category on the Health and Human Services Department’s Office for Civil Rights breach portal, have grown in number and scale over the past five years.
Through November, there have been 116 reported breaches on business associates that affected 17.7 million patients. These accounted for 17.5% of healthcare breaches but 36.1% of patients whose data were exposed so far this year. Only 40 breaches hit business associates, involving 5.9 million patient’s data, during the same period in 2018.
Hackers view the data vendors possess as a “treasure trove,” said Jeff Krull, a partner who leads the cybersecurity practice at the consulting firm Baker Tilly.