90% of healthcare companies get a 'B+' on cybersecurity with medical devices falling below the mark

How would you grade the healthcare industry for its cybersecurity practices?

SecurityScorecard gave healthcare a "B+" in cybersecurity, noting that the industry's security ratings were "higher than expected."

The company couched its findings in the context of the Change Healthcare cyberattack and says the report will help healthcare organizations gauge the risk of a breach and prevent a similar outcome. Companies use SecurityScorecard's security ratings technology for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. 

The report analyzed security risks from the top 500 healthcare companies, a large percentage of which are pharmaceutical and biotechnology companies.

SecurityScorecard researchers looked across healthcare including pharma and biotech, medical device suppliers and distributors, practices and insurance and billing organizations. Reported healthcare cyberattacks tend to focus on providers of healthcare which can skew the perception of cybersecurity risk to the broader healthcare landscape, the report says. Overall, 90% of healthcare organizations studied received an A or B in cybersecurity. Eight percent received a C and 2% received a D or F. According to the company's ratings methodology, a “B” rating indicates a 2.9x greater likelihood of a breach than an “A”; a “C” rating indicates a 5.4x greater likelihood of a breach; a “D” rating indicates a 9.2x greater likelihood of a breach; and an “F” rating indicates a 13.8x greater likelihood of a breach.

“One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure," said Ryan Sherstobitoff, senior vice president of threat research and intelligence in a statement.

The researchers surmised that the overall rating was higher than expected due to the sample of large, publicly traded companies, which often have better security, and the large number of pharmaceuticals and biotechnology companies in its sample.

SecurityScorecard notes that the top 500 healthcare companies, and cybersecurity breaches that could happen therein, would most greatly affect the healthcare market and the largest number of patients compared to smaller organizations and providers. They also tend to be the most targeted, as hackers perceive them to be the most profitable. 

Possible ransomware attack issues include the use of patient data for fraud, exposure of pharmaceutical IP and the disruption of business processes, the report says. 

Pharma, practices and insurance organizations all earned equivalent high marks from the analysts.

Medical device makers and distributors, however, scored worse and accounted for an outsized proportion of the organizations listed in the bottom 10% of cybersecurity scores. One of the main differences in cybersecurity threats dragging down the score of medical devices is their lower endpoint security ratings, mostly attributed to outdated web browsers, according to the report.

While medical devices were found to be the most problematic sector in the study, SecurityScorecard says its findings warrant a broader look at the risk of these devices not just to hospitals but to the manufacturers themselves. 

“Vulnerable medical devices are well-known as a distinctive risk factor in this industry, but mainly for the care providers that deploy them in their attack surfaces, rather than the companies that manufacture or distribute them,” the report says. 

The analysts say medical devices are more susceptible to attack because of the difference in their attack surface.

Nine percent of organizations analyzed had a data breach in the last year or have had a device compromised in the last 30 days. 

SecurityScorecard noted the latter factor was important because, “a compromised machine could be just the tip of the iceberg, or an initial access point from which a threat group moves laterally and expands its access across the network.”

For medical device manufacturers and suppliers, evidence of compromised machines in the past 30 days was twice that of the overall sample. 

SecurityScorecard broke down the greatest risks to cybersecurity across the organizations: 

  • Redirect Chain Contains HTTP (32%)
  • SSL/TLS Service Supports Weak Protocol (22%)
  • Unsafe Implementation of Subresource Integrity (8%)
  • Outdated Web Browser Observed (7%)
  • SPF Record Contains a Softfail without DMARC (5%)
  • Website Copyright is Not Current (5%)
  • Miscellaneous Application Security Issues (5%)
  • SPF Record Missing (3%)
  • Website References Object Storage (3%)
  • Site Does Not Enforce HTTPS (2%)
  • Session Cookie Missing “HttpOnly” Attribute (2%)
  • Session Cookie Missing “Secure” Attribute (2%)

It further divided the issues into categories: Network security, application security, endpoint security and DNS Health. It found that while application security threats were most common—mainly through redirect chains containing HTTP—endpoint security threats were riskiest to companies. 

DNS Health issues included two specific Sender Policy Framework (SPF) issues: allow suspicious emails to proceed into spam folders or into inboxes with suspicious question marks; or the absence of any SPF at all.

Outsourcing work to third parties also presents risks to healthcare organizations, especially when they outsource administrative and financial tasks or outsource labs and diagnostics. Vendors that hold healthcare data or that have vulnerable software are also risks to healthcare organizations, SecurityScorecard says.