Cyberattacks on business associates of healthcare organizations have increased to the point where attacks on business associates now outnumber attacks on healthcare providers. In addition to an increase in cyberattacks on third-party suppliers, the impact and destruction caused by those attacks have also increased, according to a recent report from the vendor risk management company, Black Kite.
Each year, Black Kite analyzes the impact of third-party cyberattacks and data breaches and publishes the findings in its Third-Party Breach Reports. For the 2023 report, Black Kite analyzed 63 third-party breaches which affected at least 298 companies, and reports a doubling of the impact and destruction caused by those breaches. In 2021, an average of 2.46 companies were affected by each third-party breach with the number of affected companies increasing to an average of 4.73 per breach in 2022.
The most common root cause of third-party data breaches in 2022 was unauthorized network access, which accounted for 40% of cyberattacks on third parties. Black Kite attributes the increase in these types of intrusions to the continued high numbers of employees working remotely, which introduces vulnerabilities that cybercriminals can exploit. Ransomware continues to be extensively used in cyberattacks on third parties and was involved in 27% of third-party breaches in 2022; however, there was a slight year-over-year decrease in ransomware attacks. Black Kite attributes the decrease to Russian sanctions, which have hampered the ability of Russian cybercriminals to conduct ransomware attacks. 9.5% of breaches were due to unsecured servers, 6.3% of breaches were due to human error, 3.2% were caused by phishing, and 3.2% involved malware.
Other notable findings include an increase in the time taken to notify the companies affected by these breaches, which increased by around 50% year-over-year to an average of 108 days from the date of the attack to the disclosure date. The delay in notifications means cybercriminals are given more time to misuse stolen data, resulting in even greater damage. Technical service vendors were the most targeted third parties, accounting for 30% of all data breaches, followed by vendors of software services and healthcare services. Healthcare organizations were the most common victims of third-party breaches, accounting for 34.9% of third-party incidents in 2022 – up 1% from 2021 – followed by finance (14%), and government (14%).
“Global business ecosystems continue to get more complex, with every organization increasingly impacted by the cybersecurity posture of their partners, and their partners’ partners, and so on,” said Jeffrey Wheatman, Senior Vice President, and Cyber Risk Evangelist at Black Kite. “The reality is your attack surface is much bigger than the stuff you can control. But the good news is, you can assess and monitor your extended ecosystem to spot vulnerabilities, take action and avoid catastrophe.”
The post Healthcare Organizations Most Common Victims in 3rd Party Data Breaches appeared first on HIPAA Journal.