Despite the implementation of HIPAA regulations, the healthcare industry’s cybersecurity still lags behind other sectors. According to Security Scorecard’s 2019 Healthcare Cybersecurity Report, the industry ranks 8th out of 18 sectors in terms of cybersecurity. This indicates that healthcare organizations need to take further steps to strengthen their security practices and ensure the protection of patient data.
The healthcare industry ranked 13th in DNS health and 12th in endpoint security, two of the worst security aspects. Without proper DNS security, cybercriminals can change DNS records and route web traffic to fraudulent websites where user credentials can be stolen. In January 2019, the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method. Endpoint security is another problem for the healthcare industry, as a variety of devices are used to gain access to healthcare networks. Security Scorecard cites the 2018 HIMSS Cybersecurity Report which found 27.5% of surveyed healthcare employees felt there were too many endpoints in use, making it difficult to remediate and mitigate cybersecurity incidents.
The healthcare industry was ranked 5th out of 18 in network security, suggesting they are protecting the network perimeter and segmenting their networks to limit access in the event of a breach. However, Security Scorecard notes that the endpoint security score implies the industry is using an “eggshell security model”, which means their perimeter controls are strong, but their internal networks are vulnerable. In other words, if the perimeter is breached, there are not enough controls in place to prevent harm.
In the report, application security and patching cadence were assessed, and healthcare was rated as “mediocre”, with scores of 8/18 and 10/18 respectively. Security Scorecard identified that the vast number of applications used in healthcare could create potential attack points, plus the expanding use of networked medical devices could be putting data at risk. Delays to patching due to system and application downtime or resource constraints were noted, yet these delays could leave organizations open to attack. Fouad Khalil, VP of Compliance at Security Scorecard, commented, “The risk of ePHI exposure and unauthorized access is an ever-growing threat. Healthcare organizations must implement continuous assurance practices to ensure compliance and protect data. Poor cybersecurity practices are not to be taken lightly.”