Healthcare Scores a B for Cybersecurity
SecurityScorecard has given the U.S. healthcare industry a B+ rating for cybersecurity for the first half of 2024 with the industry performing better than expected, despite major breaches being reported, including what could turn out to be the mother of all healthcare breaches – the ransomware attack on Change Healthcare that could potentially affect 1 in 3 Americans.
As the researchers pointed out, a cyberattack on a large healthcare organization has the potential to cripple the entire healthcare system, as the ransomware attack on Change Healthcare demonstrated. Given the magnitude of the attack and the extent of the disruption caused, SecurityScorecard’s STRIKE threat intelligence team sought to identify overall cyber hygiene at large healthcare organizations and the biggest security risks that those organizations face.
SecurityScorecard’s researchers examined the security ratings at the top 500 publicly traded healthcare companies in the United States, including healthcare providers, pharma and biotech firms, insurance and billing companies, and medical device manufacturers and suppliers. To achieve an A rating, companies must achieve a security score of 90-100, a B rating is given for a score of 80-89, and the lowest rating of F is given to companies with a security score below 60. The healthcare companies assessed for the study had a mean security score of 88 and a median security score of 89.
Security score ratings of healthcare organizations. Source: SecurityScorecard
The B+ score for healthcare is respectable, especially since the healthcare industry has long had a reputation for substandard security. The score was higher than the average score of 86 across all 12 million organizations in its platform; however, a respectable security score does not mean a company is well protected against cyberattacks and data breaches. Companies with a B rating are 2.9x more likely to be a victim of a data breach than a company with a strong A rating.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Medical device manufacturers and vendors of medical equipment and supplies had the lowest security scores in the healthcare sector, scoring 2-3 points less than the average score for healthcare. Companies in this cohort had a 16% higher rate of data breaches and compromised devices than other cohorts in the sector. The researchers attributed the lower security scores to the size of the attack surface, which may be closer to non-healthcare manufacturers than other healthcare organizations.
The researchers found that large companies were able to avoid breaches despite the increased threat level, with only 5% of the sample having a publicly reported breach in the past year and 6% having evidence of a compromised machine on their network within the past 30 days. The researchers identified areas where companies performed well and the weaknesses that reduced their security scores. The main general factor that lowered security ratings was application security, with 48% of assessed companies having their lowest security scores in this area. Many different application security issues were identified; however, while application security issues lowered security scores to the greatest degree, the risks were generally only low- or medium severity.
DNS health (24%) and network security (19%) were the next most common areas where scores were reduced. The most common score-reducing factors in DNS health were Sender Policy Framework (SPF) issues – the non-optimal use of SPF “soft fails” that allow suspicious emails to proceed into spam folders or inboxes and the absence of any SPF. The main network security issue was weak SSL/TLS encryption protocols. While endpoint security was the least common area for companies to score lowest, security risks in this area tend to have a much greater negative impact, more so than the other security factors. The most common endpoint security issue was the use of outdated web browsers.
An earlier report from SecurityScorecard found that healthcare outpaces all other sectors for third-party data breaches which is due to the high number of vendors used in healthcare. The massive campaign by the Clop group that exploited a vulnerability in the MOVEit file transfer software solution affected many healthcare providers directly or indirectly through attacks on their vendors.
SecurityScorecard made several recommendations for the sector to improve security. Third-party risk management is one of the most important areas due to the number of vendors used. In addition to keeping track of all vendors, cyber risk should be evaluated, which can be a major challenge. The researchers also recommend explaining to patients why third-party vendors are used, as patients are generally unaware of the degree to which their data is shared with third-party vendors. Since medical device manufacturers and vendors scored lowest, these vendors warrant greater scrutiny from the third-party risk management (TPRM)/vendor risk management (VRM) teams.
A broad range of application security issues was identified, although many related to public-facing websites so that is a good area to start to improve application security, and endpoint security should be improved by enforcing frequent web browser updates. The researchers recommend not paying ransoms in ransomware attacks since ransomware actors cannot be trusted but also warn of the risk of negotiating with the groups, as this can be seen as a sign of vulnerability or responsiveness to extortion.
