The healthcare industry ranks among the lowest performing industries in the area of cybersecurity, according to the 2017 U.S. State and Federal Government Cybersecurity Report.
In August 2017, SecurityScorecard surveyed 18 industries, including transportation, retail, healthcare and government organizations, to grade the security postures of these industries. The report specifically looks at government organizations, by analyzing and grading the current security postures of 552 local, state, and federal government organizations, each with more than 100 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers. Across all industries surveyed by SecurityScorecard, government organizations received one of the lowest security scores, with an overall ranking of 16th out of 18.
As far as overall industry rankings, food, entertainment and retail industries ranked the highest as top performers, and education ranked the lowest. Healthcare ranked at 13th out of 18, with a score of 86.5. As a comparison, the food industry received a grade of 89, and education received a grade of 84.
“Compared to last year, government has moved from the lowest performing industry, past telecommunications and education. However, this relative improvement still leaves government agencies as the third lowest performing industry when compared to the cybersecurity of 17 other major industries,” the report authors wrote.
The study also examined industries by their network security. SecurityScorecard identified potential vulnerabilities in network security by identifying open ports connected to an organization’s network exposed to the Internet and examining whether or not an organization uses best practices such as staying up-to-date with current protocols, or securing network endpoints to ensure external access to internal systems are minimized, according to the study.
The study found that healthcare falls among the bottom performers in the category of network security, ranked 11th out of 18. The study authors noted that low scores typically indicate that the organization has an open port making them susceptible to attack- for example, the WannaCry attack that propagated through port 445. “An insecure network is one of the easiest ways for a hacker to obtain access to sensitive data. Examples of network security hacks include exploiting vulnerabilities such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and security holes that can stem from the lack of proper security measures. Once a hacker is inside the organization’s network, digital assets can be compromised or stolen outright, throwing operations into chaos,” the study authors wrote.
Looking at application security, healthcare ranked slightly better, at 9th out of 18. The study authors note that a strong score in this area indicates that organizations are likely using web application firewalls, which often protect against DDoS attacks and the OWASP Top 10. Whereas, weaker scores in this category indicate that old website, php applications, and the like with multiple Common Vulnerabilities and Exposures (CVEs) are being used and are open to the OWASP Top 10 Most Critical Web Application Security Risks.
The study also ranked industries by Cubit Score. The Cubit module reveals which administrative portals or subdomains are publicly viewable, which provides a potential access point to an organization’s internal network. In the Cubit Score category, healthcare ranked 7th, among the top performers. Government ranked 2nd, after the legal industry. “These strong scores typically indicate that portals are not available to the public without some kind of secure Virtual Private Network (VPN) or whitelist and can also indicate the use of some kind of two-factor authentication,” the study authors wrote.
Industries also were ranked by Leaked Credentials, or the likelihood that an organization will succumb to a security incident due to leaked information, and healthcare ranked 9th. Low performance in this category can indicate: 1) that employees are using corporate emails for non-work purposes and 2) that passwords are being reused, the study authors wrote.
The study also looked industries based on their patching cadence. The study authors noted that diligently patching operating systems, services, applications, software and hardware in a timely manner is necessary to keep hackers at bay. “If a hacker knows that a company has a slow patching cadence, then the hacker can wait for a newly disclosed vulnerability, build a payload, and exploit the vulnerability in less time than it takes for that organization to apply a patch,” the study authors wrote.
Healthcare ranked 10th in the category of patching cadence.
Healthcare also scored among the bottom performers in the area of social engineering, ranking 16th out of 18. Nonprofits ranked the highest along with technology and government. The study authors note that social engineering attacks are much more behavioral in nature than technical, which makes them difficult to defend against. SecurityScorecard identified multiple factors related to social engineering such as employees using corporate account information in social networks, employees exposing an organization to phishing attacks and spam, and employees posting negative reviews of the business to social platforms.
Looking at other areas of cybersecurity, healthcare, again, ranked low, at 16th, in the category of Endpoint Security and healthcare ranked 14th in the area of IP Reputation. In the area of Domain Name System (DNS) Health, healthcare ranked among the top performers, at 6th. According to the study authors, a strong score indicates that these organizations are using good practices, such as ensuring proper configurations and employing other practices to protect DNS health.