Healthcare Suffers From A Lack Of Security Awareness

Uploaded on 2016-11-09 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Healthcare organisations have suffered 22 major data breaches in the past year, resulting in the exposure of millions of patient information, a new study shows.

The 2016 Healthcare Industry Cybersecurity Report from SecurityScorecard illustrates the ills in healthcare's cybersecurity posture. SecurtiyScorecard conducted an analysis of 700 healthcare organizations including medical treatment facilities, health insurance agencies, and healthcare manufacturing businesses. The study covers the period of August 2015 through August 2016.

Network security, IP reputation, and patching cadence are among healthcare's biggest struggles, the study found. Seventy percent of health insurance providers are not adequately protecting patient information, and 63% of the 27 largest US hospitals received a C or lower in Patching Cadence, as they don't fix bugs in their software. More than 75% of the industry suffered malware infections.

"The greatest security threat comes in the form of malware that will take data and provide access to database resources," says Alex Heid, chief research officer at SecurityScorecard.

Healthcare also suffers from a security awareness problem among users.

"We found a significant correlation between malware infections, and security awareness and social engineering of employees within enterprises," says Heid. Combined with high amounts of vulnerable endpoints, including web browsers and operating systems, this leads to a spike in malware from healthcare organizations.

Healthcare is a target for exploitation because its businesses are sitting on the same data financial companies collect, Heid explains. This includes full names, dates of birth, social security numbers, and other information that can be used for identity theft.

However, healthcare providers don't have the same protection as financial institutions, he continues. The purpose of banks is to transfer and protect finances, as well as the technology to support them.

Healthcare companies are focused on human health and healing, and ensuring their services are operational to provide medical care. They weren't thinking about security difficulties because they hadn't happened yet, he continues. "Now, they have to learn by getting scratched."

"There's a need to balance security and functionality that has been difficult for the healthcare industry," he says. "The security aspect has always taken a backseat because it was never considered to be as large of a target as it has become."

How Healthcare Orgs Get Hit

A common way for malware to enter organisations is through employees who engage with suspicious websites from work, using their corporate email addresses. These may include adult online dating sites or webpages promising opportunities to make money from home.

While this trend spans all industries, Heid notes in healthcare there is a correlation between malware and high numbers of employees entering information on these websites from work computers. This is a sign of poor security awareness; workers who interact with these sites are also likely to open potentially malicious email attachments.

The study also sheds light on the growing risk of network-connected devices, aka IoT: wireless medical devices and tablets, for example. New hardware has enabled medical advancements and benefited hospitals and patients, but quick deployment has resulted in weak security.

Further, more modern IoT medical devices are being used to collect sensitive health data and require tougher network security. "It's very important hospitals understand the full capabilities of advanced medical devices they're implementing before potentially fatal accidents occur," says Heid.

Another security challenge for healthcare organisations is updating legacy Web applications. Many insurance companies and healthcare providers have merged or been acquired, and their old networks and infrastructure have been grandfathered in.

This heightens security risk, says Heid, as many companies are still using legacy Web apps that are over ten years old, and have been fixed with band-aids over the years. Now, they need a full overhaul.

Heid says healthcare organisations must patch their systems, run up-to-date endpoint software, and conduct continuous monitoring and vulnerability assessments to understand where the weak points are.

Going forward, the healthcare industry will continue to experience myriad security problems: new hacked databases from third-party providers will circulate; new medical devices will enter the market.

However, healthcare organisations are becoming more security-savvy, he says. "Healthcare businesses and their leadership are definitely starting to pay attention," he says. "Nobody wants to be the next headline."

Dark Reading:                       Healthcare Industry Lacks Basic Security Knowhow

« Find The Hacker With Action Security Intelligence
Cost of Data Breaches Will Keep On Getting Higher »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Eperi

Eperi

Eperi is a leading provider of Cloud Data Protection (CDP) solutions with 15 years of experience in data encryption for databases, (SaaS) applications and files.

Intrinsyc Technologies

Intrinsyc Technologies

Intrinsyc provides product development services and Edge Computing modules that are helping to take the Internet of Things products to the next level.

AngelList

AngelList

AngelList champion startups and the people who empower them. Search tech & startup jobs, find new tech products, and invest in startups.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

RhodeCode

RhodeCode

RhodeCode is an open source repository management platform. It provides unified security and team collaboration across Git, Subversion, and Mercurial.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

AVANTEC

AVANTEC

AVANTEC is the leading Swiss provider of IT security solutions in the areas of cloud, content, network and endpoint security.

Rostelecom Solar

Rostelecom Solar

Rostelecom-Solar is a Cyber Security Company, providing software and managed detection and response (MDR) services to protect critical information from advanced cyber threats.

Thistle Technologies

Thistle Technologies

Thistle Technologies is building tools that help connected device manufacturers build security resiliency into devices.

Cyber Defense Networking Solutions (CDNS)

Cyber Defense Networking Solutions (CDNS)

CDNS is a global network infrastructure provider whose platforms are engineered for security, optimized for speed and designed for resiliency.

CyberUSA

CyberUSA

CyberUSA is a collaboration of leaders and states focused on a common mission purpose of enabling innovation, education, workforce development, enhanced cyber readiness and resilience.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.