While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.
Essentially, healthcare employees are the “low-hanging fruit” for social engineering attacks, the report authors say.
The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.
From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.
Some key findings from the report include:
88 percent of all healthcare manufacturers have had malware infections
96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers
Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff
40 percent of breached companies had a C or lower in network security at the time of breach
63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization’s ability to implement security software patches in a timely fashion
More than 50 percent of the healthcare industry has a network security score of a C or lower
Healthcare ranks 9th in overall security rating compared to all other industries
The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”
Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.
“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn’t only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization’s primary network,” Alex Heid, chief research officer at SecurityScorecard, said in a statement.
The report authors conclude that there are a number of different options a healthcare facility can take when it comes to improving security awareness across the entire organization.
“Organizations can employ security awareness training companies to come in and train staff but it’s important to note that this training needs to take into account HIPAA regulations, ethics standards, and the different departments and positions involved. Training should differ depending on whether a staff member is part of operations, a medical practitioner, a visiting professional, or if they’re interacting with patients and patient’s data,” the report authors stated. Additionally, organizations can also implement ongoing security awareness processes that can continuously provide support for existing and new employees.
“For hospitals and major healthcare treatment centers, the security department should be proactive and make sure that their networks are segmented to account for IoT security and that their connected devices no longer have their default security settings in place. Major insurance companies should be properly assessing their third party security and assessing the security of any potential M&A targets,” the report authors wrote.