Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/27/2016
09:37 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Healthcare Suffers Security Awareness Woes

Weak security practices are putting patient data at risk, new SecurityScorecard report shows.

Healthcare organizations have suffered 22 major data breaches in the past year, resulting in the exposure of millions of patient information, a new study shows.

The 2016 Healthcare Industry Cybersecurity Report from SecurityScorecard illustrates the ills in healthcare's cybersecurity posture. SecurtiyScorecard conducted an analysis of 700 healthcare organizations including medical treatment facilities, health insurance agencies, and healthcare manufacturing businesses. The study covers the period of August 2015 through August 2016.

Network security, IP reputation, and patching cadence are among healthcare's biggest struggles, the study found. Seventy percent of health insurance providers are not adequately protecting patient information, and 63% of the 27 largest US hospitals received a C or lower in Patching Cadence, as they don't fix bugs in their software. More than 75% of the industry suffered malware infections. 

"The greatest security threat comes in the form of malware that will take data and provide access to database resources," says Alex Heid, chief research officer at SecurityScorecard.

Healthcare also suffers from a security awareness problem among users.

"We found a significant correlation between malware infections, and security awareness and social engineering of employees within enterprises," says Heid. Combined with a high amount of vulnerable endpoints, including web browsers and operating systems, this leads to a spike in malware from healthcare organizations.

Healthcare is a target for exploitation because its businesses are sitting on the same data financial companies collect, Heid explains. This includes full names, dates of birth, social security numbers, and other information that can be used for identity theft. 

However, healthcare providers don't have the same protection as financial institutions, he continues. The purpose of banks is to transfer and protect finances, as well as the technology to support them. 

Healthcare companies are focused on human health and healing, and ensuring their services are operational to provide medical care. They weren't thinking about security difficulties because they hadn't happened yet, he continues. "Now, they have to learn by getting scratched." 

"There's a need to balance security and functionality that has been difficult for the healthcare industry," he says. "The security aspect has always taken a backseat because it was never considered to be as large of a target as it has become."

How Healthcare Orgs Get Hit

A common way for malware to enter organizations is through employees who engage with suspicious websites from work, using their corporate email addresses. These may include adult online dating sites or webpages promising opportunities to make money from home.

While this trend spans all industries, Heid notes in healthcare there is a correlation between malware and high numbers of employees entering information on these websites from work computers. This is a sign of poor security awareness; workers who interact with these sites are also likely to open potentially malicious email attachments.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

 

The study also sheds light on the growing risk of network-connected devices, aka IoT: wireless medical devices and tablets, for example. New hardware has enabled medical advancements and benefited hospitals and patients, but quick deployment has resulted in weak security. 

Further, more modern IoT medical devices are being used to collect sensitive health data and require tougher network security. "It's very important hospitals understand the full capabilities of advanced medical devices they're implementing before potentially fatal accidents occur," says Heid.

Another security challenge for healthcare organizations is updating legacy Web applications. Many insurance companies and healthcare providers have merged or been acquired, and their old networks and infrastructure have been grandfathered in.

This heightens security risk, says Heid, as many companies are still using legacy Web apps that are over ten years old, and have been fixed with band-aids over the years. Now, they need a full overhaul. 

Heid says healthcare organizations must patch their systems, run up-to-date endpoint software, and conduct continuous monitoring and vulnerability assessments to understand where the weak points are.

Going forward, the healthcare industry will continue to experience myriad security problems: new hacked databases from third-party providers will circulate; new medical devices will enter the market.

However, healthcare organizations are becoming more security-savvy, he says. "Healthcare businesses and their leadership are definitely starting to pay attention," he says. "Nobody wants to be the next headline."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.