Healthcare industry lacks basic security awareness among staff

SecurityScorecard released a comprehensive analysis exposing cybersecurity vulnerabilities across 700 healthcare organizations including medical treatment facilities, health insurance agencies and healthcare manufacturing companies.

Security breaches in this industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.

Among all industries, healthcare ranks 15th out of 18 in social engineering, suggesting a security awareness problem among healthcare professionals, putting millions of patients at risk. The Verizon Data Breach Report ranks social engineering as the third most common cause for breaches.

“The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient,” said Alex Heid, Chief Research Officer at SecurityScorecard. “Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks. For a hacker, it only takes one piece of information such as learning the email structure of an organization to exploit an employee into divulging sensitive information or providing an access point into that organization’s network.”

Another risk is the array of devices with wireless capabilities such as IoT devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.

“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn’t only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization’s primary network,” continued Mr. Heid.

Key findings

• Over 75% of the entire healthcare industry has been infected with malware over the last year
• 96% of all ransomware targeted medical treatment centers
• Healthcare manufacturing nearly reaches a 90% malware infection rate
• 63% of the 27 biggest US hospitals have a C or lower in patching cadence, which measures an organization’s ability to implement security software patches in a timely fashion
• Healthcare has the 5th highest count of ransomware among all industries
• Over 50% of the healthcare industry has a network security score of a C or lower
• Past-breached healthcare companies still have 242% as many low scores in social engineering compared to non-breached companies.