HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture


Security Scorecard has released the findings of its 2017 U.S. State and Federal Government Cybersecurity study. The study assesses the cybersecurity posture of 17 industries, ranking them based on their security scores in ten categories.

This year, the U.S. Government performed poorly again for cybersecurity, registering the third lowest overall score out of any sector. Only the telecommunications and education sectors performed worse. The pharmaceutical industry didn’t fare much better and was ranked fourth from bottom. The healthcare industry was in 13th place, 6th from bottom. The list was topped by the food industry, followed by entertainment in second and retail in third place.

There is some news for the U.S. government. Last year, the government was rooted to the bottom of the list. Improvements have been made, although the U.S. government is still struggling to improving its security posture and still has serious network infrastructure weaknesses and vulnerabilities.

Please see the HIPAA Journal Privacy Policy

In theory, smaller government organizations should fare better as they have a smaller attack surface to defend, although that did not prove to be the case. Smaller agencies typically have smaller budgets and do not tend to have staff dedicated to cybersecurity. The main areas where smaller organizations performed poorly was patching cadence and DNS health. For medium-sized agencies the problem areas were also DNS health and patching cadence, along with a relatively poor rating for network security.

Larger organizations such as the IRS, Congressional Budget Office and the FTC performed well in all categories, although the City of Indianapolis, the Federal Deposit Insurance Corporation and the Central Intelligence Agency performed poorly, with the latter the worst of all agencies for security posture.

Overall, the government was among the bottom performers for network security, application security, leaked credentials, patching cadence, IP reputation, and was second from bottom for endpoint security. Unsurprisingly, the government was bottom for hacker chatter – an assessment of the speed at which vulnerabilities are communicated on hacker forums and social media networks.

The government ranked second overall for DNS health, third for protections against social engineering attacks and second for cubit score. Cubit score is an assessment of administrative portals and subdomains that are publicly viewable.

The report shows the government has a long way to go to improve its security posture, but how did the healthcare industry fare? The healthcare industry has also struggled with cybersecurity in the past, although the situation has been improving thanks to increased investment.

Security Scorecard rated the healthcare industry among the bottom performers for network security, application security, leaked credentials, patching cadence, and IP reputation. The healthcare industry was third from bottom on endpoint security and susceptibility to social engineering attacks. The healthcare industry made the top half of the list for cubit score and DNS health and ranked particularly well for hacker chatter. The report shows the situation is improving, but there is still a long way to go to bring security up to reasonable standards.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.