HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Organizations Falling Short on Security Awareness

This month saw the publication of the Security Scorecard 2016 Healthcare Industry Cybersecurity Report which casts light on the general state of healthcare cybersecurity defenses. The report shows the healthcare industry still lags behind other industry sectors with many security vulnerabilities left unaddressed.

For the report, Security Scorecard analyzed security ratings of more than 700 healthcare organizations – including hospitals, health insurance companies, and healthcare manufacturing businesses – between August 2015 and August 2016.

Each organization was rated for its security performance across ten categories and comparisons made to other industry sectors. The healthcare industry was below the industry average in six of those categories: DNS health, endpoint security, IT reputation, password exposure, patching cadence, and social engineering. Overall, the healthcare industry ranked 9th for overall security.

The study revealed 55% of healthcare organizations had a network security score of C or worse, indicating multiple access points to networks had been left open and could be exploited by hackers

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The industry rated particularly badly for patching cadence. 47% of healthcare organizations were operating with unpatched vulnerabilities within their network. 63% of the 27 largest hospitals in the country rated C or worse for patching cadence. Patches had been issued to correct known security vulnerabilities, yet they were not being applied promptly leaving organizations vulnerable to cyberattacks.

IP Reputation scores were also low, in particular at medical treatment organizations, many of which received a rating of C or worse in this area. Organizations with low IP Reputation scores had legacy infrastructures, a myriad of devices connected their networks, were not applying security patches promptly, and used older devices with out-of-date software. According to the report, “IP Reputation is one of the most predictive factors in the Security Scorecard platform. Organizations with a C or lower are over three times more likely to suffer a data breach than organizations with a B or higher.”

The introduction of IoT devices has introduced many new risks. The rush to use new IoT medical devices has seen them introduced without full security controls being employed. This has created many security weak points that could easily be exploited by hackers.

An analysis of healthcare ransomware incidents showed medical treatment centers were most heavily targeted. 96% of all ransomware incidents were recorded at medical treatment centers. Healthcare manufacturing rated the worst for malware infections with 88% of organizations experiencing a malware incident during the study. Overall, 75% of healthcare organizations had been infected with malware in the past year.

Malware and ransomware infections strongly correlated with poor security awareness among employees, which was rated under ‘social engineering’. The healthcare industry stood out from other industry sectors as being particularly poor in this area.

The report suggests the major security weaknesses observed in the healthcare industry “are all signs of a large infrastructure that isn’t keeping up with the increase in devices, connections, and applications that make up an organization’s networks.” While all of these areas must be addressed, the study shows that perhaps the best starting point is improving employees’ security awareness.

As noted in the report, “While healthcare’s IT department may be keeping on top of infrastructure issues such as DNS Health and application security, without proper employee security training, an organization can be highly susceptible to social engineering attacks.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.