As hospital systems become more hardened to cyber-attacks, cyber criminals are focusing their efforts on smaller providers, such as outpatient clinics, specialty clinics and business associates, according to a report by Critical Insight.

The report states that “Data on cyber-attacks from the first half of 2021 shows criminals are changing targets within the healthcare ecosystem, with breaches increasing for outpatient facilities and business associates. The data also shows some long-term trends continuing, with overall attacks on an upward trend.”

Analyzing data on the Department of Health and Human Services’s breach reporting website, the report states that “more than 70% of the breaches reported during the first six months of 2021 were classified as a ‘hacking/IT incident….Outpatient facilities, including family medicine and specialty clinics, were a common source of data breaches, and business associates were heavily targeted as well.”

Key findings of the report show:

  • Breaches up nearly 2x since 2018 and on an increasing trajectory;
  • Increase in breaches attributed to hacking/IT incidents, with the number of hacking/IT incidents up over 3x since 2018 and on an increasing trajectory;
  • Business Associates now account for 43 percent of all health care breaches, the continuation of a three-year upward trend; and
  • Outpatient facilities and specialty clinics were breached nearly as much as hospitals in H1 2021.

The message is clear that threat actors are shifting their targets to smaller entities that may not have sophisticated security measures in place to defend themselves against attacks and these attacks have been successful. The trend is alarming and worthy of attention for smaller healthcare entities and business associates.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.