Clearwater has identified the most prevalent security weaknesses in healthcare from IRM analyses carried out in the past 6 years. A considerable amount of risk data from hospitals, Integrated Delivery Networks and business associates of healthcare organizations was evaluated to determine the most common security flaws in healthcare.
The analysis showed that nearly 37% of high and critical risks were in three areas:
- User authentication
- Excessive user permissions
- Endpoint leakage
The most typical security vulnerabilities in healthcare were in user authentication. These occur as a result of failing to properly authenticate users and confirm the level of access a user has to an organization’s resources. These flaws consist of the use of default usernames and passwords (such as admin/admin), writing down passwords and posting them on computer monitors or hiding them beneath keyboards, and the transmission of sensitive information via email in plain text.
User authentication inadequacies were most frequently related to servers and SaaS solutions. Clearwater notes that over 90% of healthcare companies said they use password/token management policies and procedures, but most of the time the technical implementation of policies is inadequate.
Clearwater suggests using strong passwords, enabling single sign-on, and limiting the number of unsuccessful attempts to login before access is blocked. Of the institutions that had user authentication inadequacies, 84.4% had inadequacies in password requirements, 52.2% did not employ single sign-on, and 40.4% did not block accounts after a set number of unsuccessful logins.
The cybersecurity best practices of restricting the use of admin accounts/limiting system and data access was generally not followed by healthcare establishments.
Failing to limit access to drives and networks that users do not require to complete work duties heightens risk. By limiting user permissions, the damage caused by a cyberattack can be greatly reduced. Healthcare companies should follow the principle of least privilege and should only give employees access to data and networks that they require to perform their work tasks.