While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.
Essentially, healthcare employees are the "low-hanging fruit" for social engineering attacks, the report authors say.
The "2016 Healthcare Industry Cybersecurity Report” from SecurityScorecard, a security rating and continuous risk monitoring platform, highlights troubling cybersecurity vulnerabilities across the healthcare industry. What’s more, according to the analysis, security breaches in the healthcare industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.
The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.
From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.
Some key findings from the report include:
88 percent of all healthcare manufacturers have had malware infections
96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers
Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff
40 percent of breached companies had a C or lower in network security at the time of breach
63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion
More than 50 percent of the healthcare industry has a network security score of a C or lower
Healthcare ranks 9th in overall security rating compared to all other industries
Ransomware and breaches are affecting the healthcare industry at an increasingly alarming rate with 22 major public breaches occurring since August 2015, according to the report. Earlier this year, Hollywood Presbyterian Medical Center paid $17,000 as a result of ransomware after losing access to patient records for 10 days. In March 2016, 21st Century Oncology suffered a data breach that led to a loss of 2.2 million patient records and a $57 million class-action lawsuit. Overall, breached healthcare companies still struggle with security post-breach, the report found.
The report authors noted that the healthcare industry is facing a number of security pressures from multiple side. “Hackers are shifting attack methods and specifically targeting the healthcare industry with ransomware and regulatory bodies are increasing their attention levied on these organizations. Internally, the healthcare industry, as we’ve seen, is struggling with security awareness and training and the new innovations, adopted technologies, and connected devices are only adding to the challenge of securing internal and patient data.”
However, social engineering is a factor that stuck out as being particularly low-performing within healthcare.
The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”
For the analysis, researchers compared low security factor scores and looked at the distribution of C’s or lower across the healthcare industry compared to all other industries. In social engineering, the healthcare industry has 182 percent as many organizations with a C or lower.
And, healthcare companies still struggle with security post-breach. The analysis also found that, in August 2016, past-breached healthcare companies still have 242 percent as many C’s or lower scores in social engineering compared to non-breached companies.
Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.
“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network," Alex Heid, chief research officer at SecurityScorecard, said in a statement.
The report authors conclude that there are a number of different options a healthcare facility can take when it comes to improving security awareness across the entire organization.
“Organizations can employ security awareness training companies to come in and train staff but it’s important to note that this training needs to take into account HIPAA regulations, ethics standards, and the different departments and positions involved. Training should differ depending on whether a staff member is part of operations, a medical practitioner, a visiting professional, or if they’re interacting with patients and patient’s data,” the report authors stated. Additionally, organizations can also implement ongoing security awareness processes that can continuously provide support for existing and new employees.
The report authors summarized that healthcare’s overall weak points are on Network Security, IP reputation, and Patching Cadence, “which are all signs of a large infrastructure that isn’t keeping up with the increase in devices, connections, and applications that make up an organization’s networks.”
“For hospitals and major healthcare treatment centers, the security department should be proactive and make sure that their networks are segmented to account for IoT security and that their connected devices no longer have their default security settings in place. Major insurance companies should be properly assessing their third party security and assessing the security of any potential M&A targets,” the report authors wrote.