By means of complying with HIPAA, healthcare providers have attained a baseline standard of security. However, healthcare cybersecurity still needs to further improve.
The Security Scorecard’s 2019 Healthcare Cybersecurity Report revealed that out of 18 industry sectors studied, the healthcare industry ranks 8th for cybersecurity. The worst areas of healthcare security were DNS health and endpoint security, which got a ranking of 13th and 12th respectively.
When there is no proper DNS security control, hackers could change DNS records. An attack like that would enable cybercriminals to redirect web traffic to fake websites to harvest credentials. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning regarding this attack method in January 2019.
Endpoint security is also a big problem. Healthcare employees use a broad variety of devices to get access to healthcare networks. This introduces risks that are often difficult to manage. Security Scorecard references the 2018 HIMSS Cybersecurity Report, which showed that 27.5% of surveyed healthcare employees believed there were too many endpoints being used. HIMSS rated this as an obstacle that was hampering efforts to remediate breaches and prevent further cyberattacks.
The one area in healthcare security in which many healthcare organizations are performing well is network security where the industry ranked 5th of 18. The high ranking suggests healthcare organizations are securing the network perimeter by means of firewalls and are segmenting their networks to restrict access in case of a perimeter breach.
Security Scorecard remarks that when this score is considered along with the low endpoint security score, it indicates that the healthcare industry has adopted an “eggshell security model” for protecting networks. Perimeter controls are robust, but they protect a soft and susceptible internal networks. In the event of a breach of the perimeter, inadequate controls are present to reduce damage.
The other areas evaluated for the report include application security and patching cadence, which have ranks of 8/18 and 10/18 respectively. The application security score was fairly good, however Security Scorecard cautioned that the large number of applications utilized in healthcare means there are several exploitable vectors that could be used in attacks. The growing usage of networked medical devices is also putting data at risk.
Patching of identified vulnerabilities is somewhat slow. Patches are applied slowly down to avoid system downtime. Nevertheless, patching delays mean organizations remain vulnerable to attack. A lot of attacks take place within a couple of days of patches being made available.
Security Scorecard said healthcare organizations need to follow constant assurance practices to remain compliant and sufficiently secure data. Poor cybersecurity procedures must not be taken lightly.