The U.S. healthcare industry ranks 15th in cybersecurity health compared with 17 other major industries, according to an analysis by SecurityScorecard.
The poor ranking shows the challenges that many organizations in the healthcare industry face when compared with other industries, including the legal, financial and information services fields, that also typically collect information that is highly valuable and personally identifiable.
The analysis from the security-risk benchmarking firm shows that poor endpoint security, software patching flaws and susceptibility to social engineering attacks make the healthcare industry one of the lowest-performing industries when it comes to protecting data.
Healthcare records contain some of the most detailed personal information available, and healthcare organizations are not doing enough to protect it, according to the report. A recent Futurum article stated that the current rate paid on the dark web for a health record ranges from $3 to $100 per record, depending on the depth of information.
Patching security flaws
The report noted that because a breach can result in thousands of compromised patient records, hackers stand to make a substantial amount of money by selling this information to criminal syndicates.
SecurityScorecard stated that, in addition to lost revenue, organizations that lack adequate cybersecurity capabilities also face hefty fines from regulators, as well as lawsuits and damaged reputation.
The most common cybersecurity issues in the industry, according to the report, relate to poor software patching cadence, which refers to how quickly an organization updates its software once a vendor releases patches.
Companies often choose to delay implementing patches as it requires coordinating system downtimes and allocating IT resources, which leaves them vulnerable to hackers, who can study the release of patched vulnerabilities and take advantage of gaps in security between updates.
Securing endpoints can also be a major challenge for healthcare providers as large healthcare organizations normally have thousands of endpoints, while small and medium-sized entities struggle to properly monitor and maintain their endpoints due to a lack of resources.
Endpoint security refers to protecting corporate networks when they are being accessed through remote devices such as laptops or other wireless and mobile devices.
The report stated that growth in devices connected to the internet of things, or IoT, smartphones and tablets can add to this problem and make it very difficult for centralized IT departments to properly secure devices on their network. SecurityScorecard believes that adding to the problem is the ability of these devices to store patient data and act as the gateway to databases and other systems that contain electronic protected health information, or ePHI.
SecurityScorecard's analysis noted that the healthcare industry ranks third from the bottom compared with other sectors in terms of social engineering.
Hackers often use social media and other public sources to identify human targets who can be easily exploited. Spoofing and phishing are some of the most common types of attacks that use social engineering tactics, relying on tricking unsuspecting employees into revealing information via malicious websites, email or over the phone.
Additionally, hackers use social engineering to deploy malware on a network, often by tricking an employee into opening an email containing a malicious program.
No 'silver bullet' solution
Jasson Casey, chief technology officer of SecurityScorecard, said in a statement that the ransomware attacks and data breaches in 2017 took a toll on the overall cybersecurity confidence in healthcare organizations.
"It's no surprise that our research team found healthcare organizations are behind in proper network and endpoint security protocols," Casey said.
The healthcare industry faces "a unique set of circumstances" that puts organizations, providers and patients at risk, SecurityScorecard's report said.
The security research firm believes that no "silver bullet" solution exists and that maintaining best practices and proper IT hygiene can prevent most breaches from occurring. But SecurityScorecard noted that many healthcare organizations have been unable to develop the cybersecurity capabilities nor the muscle memory to defend ePHI and other data from hackers.