Share this article on:
Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre.
Security Scorecard has ranked the healthcare industry 8th out of the 18 industry sectors for cybersecurity. The findings have been detailed in its 2019 Healthcare Cybersecurity Report.
The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12th respectively.
Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019.
Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and many healthcare organizations are struggling to address those risks effectively. Security Scorecard cites the 2018 HIMSS Cybersecurity Report which revealed 27.5% of healthcare employees surveyed thought there were too many endpoints in use, which was seen to be one of the biggest barriers to remediating and mitigating cybersecurity incidents.
The one area of apparent strength is network security, where the healthcare industry ranked 5th out of 18. The relatively high score in this area is not necessarily as good as it first appears. The high position means healthcare organizations are protecting the network perimeter through the use of firewalls and are segmenting their networks to limit access to devices and data in the event of a perimeter breach.
Security Scorecard notes that the network security and endpoint security scores suggest the healthcare industry is adopting an “eggshell security model” which means the perimeter controls are strong, but they are being used to defend a particularly soft and vulnerable internal network. If the perimeter is breached, insufficient controls are present to limit the harm that can be caused.
The other areas assessed for the report were application security and patching cadence, where healthcare was deemed mediocre with scores of 8/18 and 10/18 respectively. The application security score was relatively good, but Security Scorecard warned that the high number of applications used in healthcare creates multiple exploitable vectors to attack and the increasing use of networked medical devices could be placing data at risk.
Patching of known vulnerabilities is relatively slow. Patches are delayed to avoid system and application downtime and because they cause a significant increase in system resources. However, delays in patching leave organizations vulnerable. Many attacks occur within a few days of patches being released.
“The risk of ePHI exposure and unauthorized access is an increasing trend year after year,” said Fouad Khalil, VP of Compliance at Security Scorecard. “Healthcare organizations must adopt continuous assurance practices to maintain compliance and adequately protect data… Poor cybersecurity practices cannot be taken lightly.”