Skip to content Skip to navigation

Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness

November 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.

Essentially, healthcare employees are the "low-hanging fruit" for social engineering attacks, the report authors say.

The "2016 Healthcare Industry Cybersecurity Report” from SecurityScorecard, a security rating and continuous risk monitoring platform, highlights troubling cybersecurity vulnerabilities across the healthcare industry. What’s more, according to the analysis, security breaches in the healthcare industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.

The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.

From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.

Some key findings from the report include:

88 percent of all healthcare manufacturers have had malware infections

96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers

Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff

40 percent of breached companies had a C or lower in network security at the time of breach

63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion

More than 50 percent of the healthcare industry has a network security score of a C or lower

Healthcare ranks 9th in overall security rating compared to all other industries

Ransomware and breaches are affecting the healthcare industry at an increasingly alarming rate with 22 major public breaches occurring since August 2015, according to the report. Earlier this year, Hollywood Presbyterian Medical Center paid $17,000 as a result of ransomware after losing access to patient records for 10 days. In March 2016, 21st Century Oncology suffered a data breach that led to a loss of 2.2 million patient records and a $57 million class-action lawsuit. Overall, breached healthcare companies still struggle with security post-breach, the report found.

The report authors noted that the healthcare industry is facing a number of security pressures from multiple side. “Hackers are shifting attack methods and specifically targeting the healthcare industry with ransomware and regulatory bodies are increasing their attention levied on these organizations. Internally, the healthcare industry, as we’ve seen, is struggling with security awareness and training and the new innovations, adopted technologies, and connected devices are only adding to the challenge of securing internal and patient data.”

However, social engineering is a factor that stuck out as being particularly low-performing within healthcare.

The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”

For the analysis, researchers compared low security factor scores and looked at the distribution of C’s or lower across the healthcare industry compared to all other industries. In social engineering, the healthcare industry has 182 percent as many organizations with a C or lower.

And, healthcare companies still struggle with security post-breach. The analysis also found that, in August 2016, past-breached healthcare companies still have 242 percent as many C’s or lower scores in social engineering compared to non-breached companies.

Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.

“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network," Alex Heid, chief research officer at SecurityScorecard, said in a statement.

The report authors conclude that there are a number of different options a healthcare facility can take when it comes to improving security awareness across the entire organization.

“Organizations can employ security awareness training companies to come in and train staff but it’s important to note that this training needs to take into account HIPAA regulations, ethics standards, and the different departments and positions involved. Training should differ depending on whether a staff member is part of operations, a medical practitioner, a visiting professional, or if they’re interacting with patients and patient’s data,” the report authors stated. Additionally, organizations can also implement ongoing security awareness processes that can continuously provide support for existing and new employees.

The report authors summarized that healthcare’s overall weak points are on Network Security, IP reputation, and Patching Cadence, “which are all signs of a large infrastructure that isn’t keeping up with the increase in devices, connections, and applications that make up an organization’s networks.”

“For hospitals and major healthcare treatment centers, the security department should be proactive and make sure that their networks are segmented to account for IoT security and that their connected devices no longer have their default security settings in place. Major insurance companies should be properly assessing their third party security and assessing the security of any potential M&A targets,” the report authors wrote.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

VETS Act Introduced to Expand Veterans’ Access to Telehealth Services

U.S. Senators Joni Ernst (R-IA) and Mazie Hirono (D-HI), both members of the Senate Armed Services Committee, reintroduced this week the Veterans E-Health and Telemedicine Support Act of 2017 (VETS Act), bipartisan legislation that aims to expand telehealth services provided by the Department of Veterans Affairs (VA).

Mayo Clinic Makes Health Content Available via Epic’s Patient Apps

Rochester, Minn.-based Mayo Clinic is now offering its health information on demand via Epic patient-facing apps such as MyChart and MyChart Bedside.

Report: Cyber Attackers Using Simple Tactics, Tools to Target Healthcare, Other Industries

The number of reported breach incidents in healthcare grew by 22 percent in 2016 from 269 breach incidents in 2015 to 328 last year, according to Symantec’s 2017 Internet Security Threat Report (ISTR).

The Sequoia Project Touts Interoperability Growth in Fifth Year

The Sequoia Project is celebrating its fifth anniversary this month by announcing that its various interoperability initiatives have grown by health organization participants, by geographic reach, and by the sheer number of health records exchanged electronically.

Report: HHS to Open Healthcare Cybersecurity Center

HHS will be opening a Cybersecurity and Communications Integration Center in which healthcare organizations and consumers can get educated about the risks of using mobile apps and data.

Survey: Two-Thirds of Healthcare Employees Share Confidential Data On Occasion

Seventy-two percent of employee say they would share sensitive, confidential or regulated company information under certain circumstances and 68 percent of healthcare employees report that they share confidential or regulated data on occasion, according to the Dell End-User Security Survey.