Most Common Security Weaknesses in Healthcare Identified

Share this article on:

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare.

The analysis revealed almost 37% of high and critical risks were in three areas:

  • User authentication
  • Endpoint leakage
  • Excessive user permissions

The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text.

User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more than 90% of healthcare organizations said they had password/token management policies and procedures, but in many cases the technical implementation of procedures was found to be lacking.

Clearwater recommends enforcing the use of strong passwords, enabling single sign-on, and implementing rate limiting to lock accounts after a set number of failed login attempts. Of the organizations that had user authentication deficiencies, 84.4% had deficiencies in password requirements, 52.2% failed to implement single sign-on, and 40.4% had not implemented rate limiting.

The cybersecurity best practice of limiting the use of admin accounts and restricting the systems and data that end users can access was often not adopted by healthcare organizations.

The failure to restrict access to drives and networks not required by users to perform their work duties increases risk. By restricting user permissions, if credentials are compromised, the damage that can be caused will be restricted. Healthcare organizations should adopt the principle of least privilege and should only give users access to data and networks that they require to perform their work duties.

Author: HIPAA Journal

Share This Post On