Report: Cybercriminals increasingly targeting outpatient facilities

Researchers found that business associates accounted for about half of breaches reported in the first six months of 2021. A report released Thursday by the cybersecurity firm Critical Insight found that bad actors have begun to shift their healthcare targets.  The report used cyberattack data from the first half of 2021 to show that the number of breaches in the beginning of 2021 was higher than any six-month period between 2018 and the first half of 2020.

"Examining breaches caused by hacking reveals something unexpected – attackers breached outpatient facilities and specialty clinics nearly as much as hospitals," read the report.  


Hospital data breaches have made headlines over the past year, with some recent incidents putting hundreds of thousands of records at risk. However, the report notes that non-hospital facilities have also been victimized.

"While it may be tempting to think that clinics do not require the same level of cybersecurity diligence as large healthcare systems, that idea is mistaken," wrote the CI team in the report.

"Attackers look for the easiest target; if that target is a mental health clinic, that is what they will go after," they continued.

Smaller organizations run the same systems and use the same technology as hospital systems, the report notes – but they also typically have less money to spend on security. For similar reasons, hackers have also focused on business associates, exploiting security gaps in order to steal sensitive data.

"The proportion of business associates impacted by hacking-related breaches has increased with time, standing at roughly half of the breaches reported during the first half of 2021," said the report.

The CI team found that the number of attacks reported to the U.S. Department of Health and Human Services in the first half of 2021 was roughly 77% higher than the same time period in 2018.  Many of the attacks involve phishing, ransomware and vulnerable software exploitation.

The team says organizations must prioritize several key areas in order to respond:

  • Assess third-party risk
  • Regularly review business associate agreements
  • Develop ransomware prevention and response plan
  • Implement strong access controls
  • Practice basic security hygiene

"The healthcare industry is a target-rich crucible of remote workers, medical devices running outdated software, and third-party vendors with access to sensitive information," wrote the team.

"Managing risk in an era of digital transformation comes with a mandate to review their security policies and controls and adjust to a complex threat landscape," they added.


A particularly challenging aspect of third-party breaches is their ripple effect: Attacks on business associates are rarely confined to patient data at just one facility. For instance, a cyberattack on the healthcare administrative-service provider CaptureRx in February exposed patient information from at least five provider systems.  And a breach at the radiation treatment software company Elekta impacted dozens of hospitals and health systems across the country.