Report: Healthcare Cybersecurity Ranks 13th Out of 18 Industries | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Cybersecurity Ranks 13th Out of 18 Industries

August 29, 2017
by Heather Landi
| Reprints

The healthcare industry ranks among the lowest performing industries in the area of cybersecurity, according to the 2017 U.S. State and Federal Government Cybersecurity Report.

In August 2017, SecurityScorecard surveyed 18 industries, including transportation, retail, healthcare and government organizations, to grade the security postures of these industries. The report specifically looks at government organizations, by analyzing and grading the current security postures of 552 local, state, and federal government organizations, each with more than 100 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers. Across all industries surveyed by SecurityScorecard, government organizations received one of the lowest security scores, with an overall ranking of 16th out of 18.

As far as overall industry rankings, food, entertainment and retail industries ranked the highest as top performers, and education ranked the lowest. Healthcare ranked at 13th out of 18, with a score of 86.5. As a comparison, the food industry received a grade of 89, and education received a grade of 84.

“Compared to last year, government has moved from the lowest performing industry, past telecommunications and education. However, this relative improvement still leaves government agencies as the third lowest performing industry when compared to the cybersecurity of 17 other major industries,” the report authors wrote.

The study also examined industries by their network security. SecurityScorecard identified potential vulnerabilities in network security by identifying open ports connected to an organization’s network exposed to the Internet and examining whether or not an organization uses best practices such as staying up-to-date with current protocols, or securing network endpoints to ensure external access to internal systems are minimized, according to the study.

The study found that healthcare falls among the bottom performers in the category of network security, ranked 11th out of 18. The study authors noted that low scores typically indicate that the organization has an open port making them susceptible to attack- for example, the WannaCry attack that propagated through port 445. “An insecure network is one of the easiest ways for a hacker to obtain access to sensitive data. Examples of network security hacks include exploiting vulnerabilities such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and security holes that can stem from the lack of proper security measures. Once a hacker is inside the organization’s network, digital assets can be compromised or stolen outright, throwing operations into chaos,” the study authors wrote.

Looking at application security, healthcare ranked slightly better, at 9th out of 18. The study authors note that a strong score in this area indicates that organizations are likely using web application firewalls, which often protect against DDoS attacks and the OWASP Top 10. Whereas, weaker scores in this category indicate that old website, php applications, and the like with multiple Common Vulnerabilities and Exposures (CVEs) are being used and are open to the OWASP Top 10 Most Critical Web Application Security Risks.

The study also ranked industries by Cubit Score. The Cubit module reveals which administrative portals or subdomains are publicly viewable, which provides a potential access point to an organization’s internal network. In the Cubit Score category, healthcare ranked 7th, among the top performers. Government ranked 2nd, after the legal industry. “These strong scores typically indicate that portals are not available to the public without some kind of secure Virtual Private Network (VPN) or whitelist and can also indicate the use of some kind of two-factor authentication,” the study authors wrote.

Industries also were ranked by Leaked Credentials, or the likelihood that an organization will succumb to a security incident due to leaked information, and healthcare ranked 9th. Low performance in this category can indicate: 1) that employees are using corporate emails for non-work purposes and 2) that passwords are being reused, the study authors wrote.

The study also looked industries based on their patching cadence. The study authors noted that diligently patching operating systems, services, applications, software and hardware in a timely manner is necessary to keep hackers at bay. “If a hacker knows that a company has a slow patching cadence, then the hacker can wait for a newly disclosed vulnerability, build a payload, and exploit the vulnerability in less time than it takes for that organization to apply a patch,” the study authors wrote.

Healthcare ranked 10th in the category of patching cadence.

Healthcare also scored among the bottom performers in the area of social engineering, ranking 16th out of 18. Nonprofits ranked the highest along with technology and government. The study authors note that social engineering attacks are much more behavioral in nature than technical, which makes them difficult to defend against. SecurityScorecard identified multiple factors related to social engineering such as employees using corporate account information in social networks, employees exposing an organization to phishing attacks and spam, and employees posting negative reviews of the business to social platforms.

Looking at other areas of cybersecurity, healthcare, again, ranked low, at 16th, in the category of Endpoint Security and healthcare ranked 14th in the area of IP Reputation. In the area of Domain Name System (DNS) Health, healthcare ranked among the top performers, at 6th. According to the study authors, a strong score indicates that these organizations are using good practices, such as ensuring proper configurations and employing other practices to protect DNS health.








Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Ohio Man Charged for Allegedly Defrauding Cleveland Clinic out of $2.8M

A man in Westlake, Ohio has been indicted in federal court for his role in a conspiracy to defraud the Cleveland Clinic out of at least $2.8 million.

Survey: Most Providers Say Interoperability by 2020 Not Attainable with Current Federal Policies

The majority of healthcare providers (71 percent) believe that current federal polices, committees and regulations are not sufficient to help the country attain meaningful health IT interoperability by 2020.

House Committee Presses Nuance Executives on NotPetya Attack

he U.S. House Energy and Commerce Committee is requesting that Nuance Communications executives provide more information about the malware incident, called NotPetya, that impacted the company, along with multinational companies in 65 countries, back in June.

Regenstrief Researchers to Study Impact of HIE on Emergency Care

Scientists at the Indianapolis-based Regenstrief Institute are conducting what they say is the first study of health information exchange (HIE) use over multiple years to evaluate whether it improves patient outcomes in emergency departments.

Report: Healthcare Organizations Struggle with Human Error in Securing PHI

In the first nine months of 2017, unintended disclosure accounted for 41 percent of healthcare data breach incidents, according to a report from specialist insurer Beazley.

Three More Providers Receive 2017 HIMSS Davies Awards

Three patient care organizations have received the 2017 global Healthcare Information and Management Systems Society (HIMSS) Enterprise Nicholas E. Davies Award of Excellence for healthcare technology innovations that improve patient outcomes.