SecurityScorecard has published its 2016 Healthcare Industry Cybersecurity report in which the organization shares the fact that most of the healthcare industry has been a victim of malware intrusions.
The Healthcare Report Shows That Malware Has Hit Hard
SecurityScorecard has released their annual report on the healthcare industry which is a comprehensive analysis on the cyber security threats in the medical industry. The data is collected from over 700 organizations which include medical treatment facilities, health insurance agencies and healthcare manufacturing vendors.
According to the report the healthcare industry is one of the most targeted industries by hackers. Cyber security is one of the five health issues of 2016, in numbers 40% of all consumers would abandon or hesitate using a health organization if it was hacked. 50% of them would avoid or be way of using medical devices if a breach is connected to the manufacturer.
The researchers have analyzed in detail 27 of the biggest hospitals and the 10 largest health insurance providers in the USA. Here are the key findings of the report:
- Over 75% of the entire healthcare industry has been infected with malware over the last year
- 88% of all healthcare manufacturers have had malware infections
- 96% of all ransomware affecting the healthcare industry targeted medical treatment centers
- Healthcare is 5th highest in ransomware counts among all industries
- Healthcare ranks 15th out of 18th in Social Engineering among all industries, suggesting a security awareness problem among their personnel and staff
- In August 2016, past-breached companies were still found to have 242% as many C’s or lower in Social Engineering compared to non-breached companies
- 40% of breached companies had a C or Lower in Network Security at the time of breach
- Over 50% of the healthcare industry has a Network Security score of a C or Lower
- 63% of the 27 Biggest US Hospitals have a C or lower in Patching Cadence
- Healthcare ranks 9th in overall security rating compared to all other industries
The Healthcare industry ranks 9th in cybersecurity ranking compared to all other industries. The other targeted industries include: financial services, food, technology, retail, information services, non-profit, energy and manufacturing.
Unfortunately the performance of the healthcare industry security measures fall below the industry average in 6 out of 10 categories:
- Total Score
- Cubit Score
- DNS Health
- Endpoint Security
- Password Exposure
- Patching Cadence
- Social Engineering
Major Risks in the Security of the Healthcare Industry in 2016
The analysis shows that 47% of the healthcare industry operated with unpatched vulnerabilities within their internal network. This fact shows that the IT staff of these institutions has shown neglect to computer and network security. Software vulnerabilities are the primary intrusion paths to malware as the most popular software exploit kits feature hundreds of vulnerabilities that can be compromised.
Unfortunately the report states that over 77% of healthcare organizations have been infected with malware since August 2015. The most troublesome fact is that healthcare manufacturing have nearly reached a 90% malware infection rate which is the highest of all healthcare sectors.
Probably one of the most alarming facts that are revealed in the report is that 96% of all ransomware have targeted medical treatment centers. This means that hackers have placed an emphasis against them as they contain sensitive information such as patient data that are often not backed up to other secure locations.
Major Healthcare Industry Attacks
Some of the major reported breaches include the following incidents:
- The 21st Century Oncology – The institution reported that an unauthorized person has gained access to their neetwork. The hack was reported to affect over 2.2 million patient records. Currently a 57 million US Dollars class-action lawsuit is currently filed against the company
- Centene Corporation – Early in January Centene Corporations announced that six company-owned hard drives were lost during an inventory check of their IT assets. Over 950 thousand patient records were impacted, the data includes social security numbers, personally identifiable information and insurance identification numbers
We have already warned about the possibilities of even larger incidents from happening. This is one of the reasons why we have written a large guide on IoT security for medical establishments. You can read more about this issue in our in-depth analysis.