Healthcare Suffers From A Lack Of Security Awareness

Healthcare organisations have suffered 22 major data breaches in the past year, resulting in the exposure of millions of patient information, a new study shows.

The 2016 Healthcare Industry Cybersecurity Report from SecurityScorecard illustrates the ills in healthcare's cybersecurity posture. SecurtiyScorecard conducted an analysis of 700 healthcare organizations including medical treatment facilities, health insurance agencies, and healthcare manufacturing businesses. The study covers the period of August 2015 through August 2016.

Network security, IP reputation, and patching cadence are among healthcare's biggest struggles, the study found. Seventy percent of health insurance providers are not adequately protecting patient information, and 63% of the 27 largest US hospitals received a C or lower in Patching Cadence, as they don't fix bugs in their software. More than 75% of the industry suffered malware infections.

"The greatest security threat comes in the form of malware that will take data and provide access to database resources," says Alex Heid, chief research officer at SecurityScorecard.

Healthcare also suffers from a security awareness problem among users.

"We found a significant correlation between malware infections, and security awareness and social engineering of employees within enterprises," says Heid. Combined with high amounts of vulnerable endpoints, including web browsers and operating systems, this leads to a spike in malware from healthcare organizations.

Healthcare is a target for exploitation because its businesses are sitting on the same data financial companies collect, Heid explains. This includes full names, dates of birth, social security numbers, and other information that can be used for identity theft.

However, healthcare providers don't have the same protection as financial institutions, he continues. The purpose of banks is to transfer and protect finances, as well as the technology to support them.

Healthcare companies are focused on human health and healing, and ensuring their services are operational to provide medical care. They weren't thinking about security difficulties because they hadn't happened yet, he continues. "Now, they have to learn by getting scratched."

"There's a need to balance security and functionality that has been difficult for the healthcare industry," he says. "The security aspect has always taken a backseat because it was never considered to be as large of a target as it has become."

How Healthcare Orgs Get Hit

A common way for malware to enter organisations is through employees who engage with suspicious websites from work, using their corporate email addresses. These may include adult online dating sites or webpages promising opportunities to make money from home.

While this trend spans all industries, Heid notes in healthcare there is a correlation between malware and high numbers of employees entering information on these websites from work computers. This is a sign of poor security awareness; workers who interact with these sites are also likely to open potentially malicious email attachments.

The study also sheds light on the growing risk of network-connected devices, aka IoT: wireless medical devices and tablets, for example. New hardware has enabled medical advancements and benefited hospitals and patients, but quick deployment has resulted in weak security.

Further, more modern IoT medical devices are being used to collect sensitive health data and require tougher network security. "It's very important hospitals understand the full capabilities of advanced medical devices they're implementing before potentially fatal accidents occur," says Heid.

Another security challenge for healthcare organisations is updating legacy Web applications. Many insurance companies and healthcare providers have merged or been acquired, and their old networks and infrastructure have been grandfathered in.

This heightens security risk, says Heid, as many companies are still using legacy Web apps that are over ten years old, and have been fixed with band-aids over the years. Now, they need a full overhaul.

Heid says healthcare organisations must patch their systems, run up-to-date endpoint software, and conduct continuous monitoring and vulnerability assessments to understand where the weak points are.

Going forward, the healthcare industry will continue to experience myriad security problems: new hacked databases from third-party providers will circulate; new medical devices will enter the market.

However, healthcare organisations are becoming more security-savvy, he says. "Healthcare businesses and their leadership are definitely starting to pay attention," he says. "Nobody wants to be the next headline."

Dark Reading:                       Healthcare Industry Lacks Basic Security Knowhow

« Find The Hacker With Action Security Intelligence
Cost of Data Breaches Will Keep On Getting Higher »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

AusCERT

AusCERT

AusCERT is the premier Computer Emergency Response Team (CERT) in Australia and a leading CERT in the Asia/Pacific region

Kivu Consulting

Kivu Consulting

Kivu Consulting combines technical and legal expertise to deliver data breach response, investigative, discovery and forensic solutions worldwide.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

BlueFiles

BlueFiles

BlueFiles enables users to send encrypted files securely while maintaining full control over recipients, access periods, downloads, and printing.

Tecnalia Research & Innovation

Tecnalia Research & Innovation

Tecnalia is the largest center of applied research and technological development in Spain, a benchmark in Europe and a member of the Basque Research and Technology Alliance.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Knowledge Transfer Network (KTN)

Knowledge Transfer Network (KTN)

KTN links new ideas and opportunities with expertise, markets and finance through our network of businesses, universities, funders and investors.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

Founder Shield

Founder Shield

Founder Shield is a data driven insurance brokerage focused excusively on rapidly evolving high-growth companies.

RhodeCode

RhodeCode

RhodeCode is an open source repository management platform. It provides unified security and team collaboration across Git, Subversion, and Mercurial.

Littlefish

Littlefish

Littlefish provide world-class, award-winning Managed IT and Cyber Security Services, delivered from our 24/7 UK service centres.

Digital Intelligence

Digital Intelligence

Digital Intelligence offer a full array of products, forensic and e-discovery consulting services and training.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

Omega Systems

Omega Systems

Omega Systems is a leading managed service provider (MSP) and managed security service provider (MSSP) to mid-market organizations.

AFRY

AFRY

AFRY is a world leading engineering company, trusted as a supplier of services and solutions within the industry, energy, and infrastructure sectors as well as for authorities.

FTI Consulting

FTI Consulting

FTI Consulting is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes.