Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness

November 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.

Essentially, healthcare employees are the "low-hanging fruit" for social engineering attacks, the report authors say.

The "2016 Healthcare Industry Cybersecurity Report” from SecurityScorecard, a security rating and continuous risk monitoring platform, highlights troubling cybersecurity vulnerabilities across the healthcare industry. What’s more, according to the analysis, security breaches in the healthcare industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.

The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.

From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.

Some key findings from the report include:

88 percent of all healthcare manufacturers have had malware infections

96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers

Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff

40 percent of breached companies had a C or lower in network security at the time of breach

63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion

More than 50 percent of the healthcare industry has a network security score of a C or lower

Healthcare ranks 9th in overall security rating compared to all other industries

Ransomware and breaches are affecting the healthcare industry at an increasingly alarming rate with 22 major public breaches occurring since August 2015, according to the report. Earlier this year, Hollywood Presbyterian Medical Center paid $17,000 as a result of ransomware after losing access to patient records for 10 days. In March 2016, 21st Century Oncology suffered a data breach that led to a loss of 2.2 million patient records and a $57 million class-action lawsuit. Overall, breached healthcare companies still struggle with security post-breach, the report found.

The report authors noted that the healthcare industry is facing a number of security pressures from multiple side. “Hackers are shifting attack methods and specifically targeting the healthcare industry with ransomware and regulatory bodies are increasing their attention levied on these organizations. Internally, the healthcare industry, as we’ve seen, is struggling with security awareness and training and the new innovations, adopted technologies, and connected devices are only adding to the challenge of securing internal and patient data.”

However, social engineering is a factor that stuck out as being particularly low-performing within healthcare.

The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”

For the analysis, researchers compared low security factor scores and looked at the distribution of C’s or lower across the healthcare industry compared to all other industries. In social engineering, the healthcare industry has 182 percent as many organizations with a C or lower.

And, healthcare companies still struggle with security post-breach. The analysis also found that, in August 2016, past-breached healthcare companies still have 242 percent as many C’s or lower scores in social engineering compared to non-breached companies.

Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.

“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network," Alex Heid, chief research officer at SecurityScorecard, said in a statement.

The report authors conclude that there are a number of different options a healthcare facility can take when it comes to improving security awareness across the entire organization.

“Organizations can employ security awareness training companies to come in and train staff but it’s important to note that this training needs to take into account HIPAA regulations, ethics standards, and the different departments and positions involved. Training should differ depending on whether a staff member is part of operations, a medical practitioner, a visiting professional, or if they’re interacting with patients and patient’s data,” the report authors stated. Additionally, organizations can also implement ongoing security awareness processes that can continuously provide support for existing and new employees.

The report authors summarized that healthcare’s overall weak points are on Network Security, IP reputation, and Patching Cadence, “which are all signs of a large infrastructure that isn’t keeping up with the increase in devices, connections, and applications that make up an organization’s networks.”

“For hospitals and major healthcare treatment centers, the security department should be proactive and make sure that their networks are segmented to account for IoT security and that their connected devices no longer have their default security settings in place. Major insurance companies should be properly assessing their third party security and assessing the security of any potential M&A targets,” the report authors wrote.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

CMS Exploring Potential Behavioral Health Payment and Care Delivery Model

The Center for Medicare & Medicaid Services (CMS) plans to hold a one-day summit in September to solicit feedback and ideas for a potential behavioral health model to improve access, quality and cost of care for beneficiaries with behavioral health conditions.

MEDITECH to Soon Offer CommonWell Health Alliance Services to Customers

MEDITECH, a Westwood, Mass.-based electronic health record (EHR) vendor, has announced that it is set to offer CommonWell interoperability services early next year.

HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

HITRUST has announced that HITRUST cybersecurity framework (CSF) version 9 enhancements now extend an “assess once, report many” approach as a standard security framework for multiple critical infrastructure industries and includes National Institute of Standards and Technology (NIST) Cybersecurity certification.

Premier: Analytics Helping Hospitals Optimize Blood Use

An analysis of 645 hospitals revealed that comparative data analytics to drive performance improvement has the potential to optimize blood use across numerous diagnoses.

Almost 80 Percent of Clinicians Still Use Hospital-Issued Pagers

A study examining the communication technologies used by hospital-based clinicians found that close to 80 percent (79.8 percent) of clinicians continue to use hospital-provided pagers and 49 percent of those clinicians report they receive patient care-related messages most commonly by pager.

Survey: IT Expenses per Physician Continue to Rise to Nearly $19,000

Information technology (IT) expenses for physician practices are on a slow and steady rise for most practices, and last year, physician-owned practices spent between nearly $2,000 to $4,000 more per FTE physician on IT operating expenses than they did the prior year, according to a recent Medical Group Management Association (MGMA) survey.