While the volume of major health data breaches reported to regulators is declining, a disturbing trend is developing that reflects the vulnerability of critical third parties and the tenacity of cybercriminals, say John Delano, a vice president at healthcare entity Christus Health and Mike Hamilton, CISO and co-founder of security firm Critical Insight.
“We have fewer breaches, but they are much bigger in nature,” said Delano of the findings in a recent report by Critical Insight analyzing health data breach patterns so far in 2023.
“It would be easy to rest on our laurels saying, ‘the number of breaches are going down so we’re making headway, we’re doing something right.’ But in reality, the number of records breached continues to go up, and that’s a problem,” he said in an interview with Information Security Media Group.
Many of the largest health data breaches so far in 2023 have involved hacking incidents and other issues at HIPAA business associates and related third-party vendors. “I think this shows that the criminals are doing research and targeting to a greater degree than before,” Hamilton said.
“If someone can affect a service provider that provides online access to electronic health records, and that provider serves dozens or hundreds of institutions, it becomes a one-stop shop” for hackers.
In this interview with Information Security Media Group (see audio link below photos), Hamilton and Delano also discussed:
- A major shift in the “entry point” of most major health data compromises now involving network servers;
- Other top findings in Critical Insight’s recent analysis of health data breaches and the outlook for future breach trends;
- Emerging use cases for generative AI in healthcare and the potential security and privacy risks.
Hamilton is co-founder and CISO at security firm Critical Insight. He has 30 years of experience in information security, as a practitioner, consultant, executive and entrepreneur. As former CISO for the city of Seattle, he managed information security policy, strategy and operations for 30 government agencies. Prior to that, he was a managing consultant for VeriSign Global Security Consulting.
Delano is a VP at Christus Health and an experienced CIO working in the hospital and healthcare industry. His previous work includes security leadership roles at AdventHealth, VMware, Cook Children’s Health Care System and Integris.