Health sector hit hardest by tech breaches

Health was the most common victim of third-party-generated breaches, accounting for nearly 35% of incidents in 2022, followed by finance (14%) and government (14%). According to Black Kite’s annual third-party breach study, last year hackers exploited the destructive nature of vulnerabilities in members of global business ecosystems. While the number of breaches has decreased slightly, the magnitude has increased greatly. And by 2023, “cybercriminals certainly intend to kill more birds with one stone,” the research says. Because of the Covid-19 pandemic, the movement of data between healthcare institutions has increased significantly in recent years, drawing the attention of cybercriminals.

Strict sanctions worldwide for patient health information breaches have also drawn the hackers’ eyes even further. Coupled with this, insufficient budgets, personal data shared remotely between patients and telehealth systems and outdated software have opened up more avenues for network intrusion and access to critical data and made healthcare the preferred target of cyberattacks in 2022.

Not surprisingly, technology solution providers are the “third parties” that offer the most risk of breaches. Hackers can find vulnerabilities in software or edit code to facilitate chain attacks. Furthermore, user companies trust that the solutions they use are secure and fail to check for the presence of any vulnerabilities, perpetuating threats along digital chains.

“Global business ecosystems are becoming more complex, contributing to organizations being increasingly impacted by the cybersecurity posture of partners, the partners of partners and so on. The reality is that the attack surfaces are much larger than we can control. The good news is that we can assess and monitor the extended ecosystem to identify vulnerabilities, act quickly and avoid catastrophe,” said Jeffrey Wheatman, cyber risk evangelist at Black Kite, the company that conducted the annual third-party breach study.

Overall, involving all industries surveyed, the number of breaches generated by third parties fell compared to 2021, but the individual effect of each breach almost doubled. While the average number of companies affected by a single breach was 2.46 in 2021 (not counting the vendor itself), that number increased to 4.73 in 2022 (numbers representing companies that publicly advertised; there are also bulk numbers for which company names were not disclosed, meaning the total is much higher).

One possible conclusion is that hackers are conducting smarter attacks, targeting more victims per attack. Therefore, because of the greater impact of each third-party generated breach, it is important to understand suppliers’ cyber posture to avoid cascading risks, the study highlights. Cascading risk is the domino effect that occurs when a supplier in the digital supply chain exposes itself to risks and compromises the other partners connected by the ecosystem.

The Black Kite study also identified the top causes of third-party breaches in 2022. It is always important to know the initial vector of the breach to understand how attacks act. Unauthorized access to networks was the most common vector in 2022, accounting for 40% of third-party breaches over the year, up 25% from 2021. As per the study, this type of access is usually based on social engineering attacks, mainly phishing, but also via credential theft, access control vulnerabilities or a combination of these factors. Ransomware was the second most frequent cause, accounting for 27% of third-party breaches, but with a drop compared to 2021. Unsecured servers and databases ranked third, accounting for 10% of breaches.

It usually takes a long time for a breach to be reported. The average time to disclose attacks was 108 days in 2022, 50% longer than in 2021. This data is based on third-party incidents tracked with transparency about who, what, and when attacks occurred. Black Kite began monitoring this statistic in 2021, and the immediate conclusion is that it is getting worse.