Report: Healthcare Cybersecurity Ranks 13th Out of 18 Industries | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Cybersecurity Ranks 13th Out of 18 Industries

August 29, 2017
by Heather Landi
| Reprints

The healthcare industry ranks among the lowest performing industries in the area of cybersecurity, according to the 2017 U.S. State and Federal Government Cybersecurity Report.

In August 2017, SecurityScorecard surveyed 18 industries, including transportation, retail, healthcare and government organizations, to grade the security postures of these industries. The report specifically looks at government organizations, by analyzing and grading the current security postures of 552 local, state, and federal government organizations, each with more than 100 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers. Across all industries surveyed by SecurityScorecard, government organizations received one of the lowest security scores, with an overall ranking of 16th out of 18.

As far as overall industry rankings, food, entertainment and retail industries ranked the highest as top performers, and education ranked the lowest. Healthcare ranked at 13th out of 18, with a score of 86.5. As a comparison, the food industry received a grade of 89, and education received a grade of 84.

“Compared to last year, government has moved from the lowest performing industry, past telecommunications and education. However, this relative improvement still leaves government agencies as the third lowest performing industry when compared to the cybersecurity of 17 other major industries,” the report authors wrote.

The study also examined industries by their network security. SecurityScorecard identified potential vulnerabilities in network security by identifying open ports connected to an organization’s network exposed to the Internet and examining whether or not an organization uses best practices such as staying up-to-date with current protocols, or securing network endpoints to ensure external access to internal systems are minimized, according to the study.

The study found that healthcare falls among the bottom performers in the category of network security, ranked 11th out of 18. The study authors noted that low scores typically indicate that the organization has an open port making them susceptible to attack- for example, the WannaCry attack that propagated through port 445. “An insecure network is one of the easiest ways for a hacker to obtain access to sensitive data. Examples of network security hacks include exploiting vulnerabilities such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and security holes that can stem from the lack of proper security measures. Once a hacker is inside the organization’s network, digital assets can be compromised or stolen outright, throwing operations into chaos,” the study authors wrote.

Looking at application security, healthcare ranked slightly better, at 9th out of 18. The study authors note that a strong score in this area indicates that organizations are likely using web application firewalls, which often protect against DDoS attacks and the OWASP Top 10. Whereas, weaker scores in this category indicate that old website, php applications, and the like with multiple Common Vulnerabilities and Exposures (CVEs) are being used and are open to the OWASP Top 10 Most Critical Web Application Security Risks.

The study also ranked industries by Cubit Score. The Cubit module reveals which administrative portals or subdomains are publicly viewable, which provides a potential access point to an organization’s internal network. In the Cubit Score category, healthcare ranked 7th, among the top performers. Government ranked 2nd, after the legal industry. “These strong scores typically indicate that portals are not available to the public without some kind of secure Virtual Private Network (VPN) or whitelist and can also indicate the use of some kind of two-factor authentication,” the study authors wrote.

Industries also were ranked by Leaked Credentials, or the likelihood that an organization will succumb to a security incident due to leaked information, and healthcare ranked 9th. Low performance in this category can indicate: 1) that employees are using corporate emails for non-work purposes and 2) that passwords are being reused, the study authors wrote.

The study also looked industries based on their patching cadence. The study authors noted that diligently patching operating systems, services, applications, software and hardware in a timely manner is necessary to keep hackers at bay. “If a hacker knows that a company has a slow patching cadence, then the hacker can wait for a newly disclosed vulnerability, build a payload, and exploit the vulnerability in less time than it takes for that organization to apply a patch,” the study authors wrote.

Healthcare ranked 10th in the category of patching cadence.

Healthcare also scored among the bottom performers in the area of social engineering, ranking 16th out of 18. Nonprofits ranked the highest along with technology and government. The study authors note that social engineering attacks are much more behavioral in nature than technical, which makes them difficult to defend against. SecurityScorecard identified multiple factors related to social engineering such as employees using corporate account information in social networks, employees exposing an organization to phishing attacks and spam, and employees posting negative reviews of the business to social platforms.

Looking at other areas of cybersecurity, healthcare, again, ranked low, at 16th, in the category of Endpoint Security and healthcare ranked 14th in the area of IP Reputation. In the area of Domain Name System (DNS) Health, healthcare ranked among the top performers, at 6th. According to the study authors, a strong score indicates that these organizations are using good practices, such as ensuring proper configurations and employing other practices to protect DNS health.








Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.