SecurityScorecard gave the U.S. healthcare industry a B+ rating for cybersecurity during the first 6 months of 2024. This indicates that the industry is doing better in spite of the reported major breaches, including the ransomware attack on Change Healthcare that massively exposed patients’ PHI.
As the researchers mentioned, a cyberattack on a big healthcare provider can slow down the whole healthcare system, like what happened in the Change Healthcare ransomware attack. Considering the scale of the attack and the magnitude of the disruption, SecurityScorecard’s STRIKE threat intelligence team wanted to determine overall cyber hygiene at big healthcare providers and the biggest security problems that those companies deal with.
The researchers of SecurityScorecard analyzed the security scores of the top 500 healthcare firms in the U.S., which include healthcare providers, pharmaceutical and biotech companies, medical device manufacturers and vendors, and insurance and billing firms. To attain an A score, companies need to reach a security rating of 90-100, a B rating means a score of 80-89, and an F means a security score under 60. The mean and median security scores of healthcare organizations evaluated for the study are 88 and 89.
A B+ security score for healthcare is reasonable since the healthcare sector has long been known to have substandard security. There’s a higher than the average score of 86 for all 12 million companies in the SecurityScorecard’s platform. But a good security score doesn’t indicate a company is safe against cyberattacks and security breaches. Companies given a B rating have 2.9x more chances of becoming a data breach victim compared to a company that has an A rating.
Medical device producers and suppliers of medical equipment and products got the lowest security scores of 2-3 points below the average rating for healthcare. These companies are 16% more likely to be data breach victims compared to other companies in the healthcare sector. The researchers ascribed the lower security scores to a bigger attack surface, which might be closer to non-healthcare companies compared to other healthcare companies.
The researchers discovered that big companies could steer clear of breaches in spite of the higher threat level, with just 5% of the sample getting a publicly reported breach in the last 12 months and 6% having proof of a breached device on their system in the last 30 days. The researchers recognized areas where organizations performed okay but the weaknesses lowered their security scores. The factors that contributed to the reduction of healthcare sector security scores are:
- Security of applications – 48% of evaluated companies have low security scores because of this. Different application security problems were found, although the problems were just low- or medium intensity.
- DNS health – 24% – Sender Policy Framework (SPF) problems, particularly the lack of SPF and the non-optimal use of SPF, allow suspicious emails to land in inboxes, thus reducing DNS health scores.
- Network security – 19% – The main network security problem was weak SSL/TLS encryption protocols.
- Endpoint security – This is the least common area for organizations to get the lowest score. However, security problems in this area have more negative effects compared to the other security factors. Using outdated web browsers is the most common endpoint security problem.
SecurityScorecard reported earlier that healthcare surpasses all other industries regarding third-party data breaches because there are many vendors in healthcare. The Clop group campaign that took advantage of a vulnerability in the MOVEit file transfer software program impacted a lot of healthcare companies directly or indirectly by means of attacks on their vendors.
SecurityScorecard gave the healthcare industry some recommendations to enhance security. Third-party threat management is an important area because of the number of suppliers. Besides monitoring all suppliers, cyber risk must be examined, which is a big problem. The researchers likewise suggest telling the patients the reason for using third-party vendors, since patients are usually not aware of how much their data is disclosed to third-party suppliers. Because medical device companies and suppliers scored lowest, these vendors require increased examination from the third-party risk management (TPRM) and vendor risk management (VRM) groups.
An extensive variety of application security problems was found, though many were associated with public-facing sites thus that is a good place to begin to enhance software security. Endpoint security must be enhanced by implementing regular internet browser updates. The researchers suggest not giving ransom payments because ransomware actors are not to be trusted. They also warn against settling with the ransomware groups, because this could be viewed as an indication of vulnerability or gullibility to extortion.