While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.
Essentially, healthcare employees are the "low-hanging fruit" for social engineering attacks, the report authors say.
The "2016 Healthcare Industry Cybersecurity Report” from SecurityScorecard, a security rating and continuous risk monitoring platform, highlights troubling cybersecurity vulnerabilities across the healthcare industry. What’s more, according to the analysis, security breaches in the healthcare industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.
The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.
From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.
Some key findings from the report include:
- 88 percent of all healthcare manufacturers have had malware infections
- 96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers
- Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff
- 40 percent of breached companies had a C or lower in network security at the time of breach
- 63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion
- More than 50 percent of the healthcare industry has a network security score of a C or lower
- Healthcare ranks 9th in overall security rating compared to all other industries
Ransomware and breaches are affecting the healthcare industry at an increasingly alarming rate with 22 major public breaches occurring since August 2015, according to the report. Earlier this year, Hollywood Presbyterian Medical Center paid $17,000 as a result of ransomware after losing access to patient records for 10 days. In March 2016, 21st Century Oncology suffered a data breach that led to a loss of 2.2 million patient records and a $57 million class-action lawsuit. Overall, breached healthcare companies still struggle with security post-breach, the report found.
The report authors noted that the healthcare industry is facing a number of security pressures from multiple side. “Hackers are shifting attack methods and specifically targeting the healthcare industry with ransomware and regulatory bodies are increasing their attention levied on these organizations. Internally, the healthcare industry, as we’ve seen, is struggling with security awareness and training and the new innovations, adopted technologies, and connected devices are only adding to the challenge of securing internal and patient data.”
However, social engineering is a factor that stuck out as being particularly low-performing within healthcare.
The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”
For the analysis, researchers compared low security factor scores and looked at the distribution of C’s or lower across the healthcare industry compared to all other industries. In social engineering, the healthcare industry has 182 percent as many organizations with a C or lower.
And, healthcare companies still struggle with security post-breach. The analysis also found that, in August 2016, past-breached healthcare companies still have 242 percent as many C’s or lower scores in social engineering compared to non-breached companies.
Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.