Healthcare Industry gets 'B+' on Cybersecurity for 2024
New York: A new research by SecurityScorecard highlights both the robust security and significant vulnerabilities facing the U.S. healthcare sector in 2024. Despite achieving an overall security rating of “B+” for the first half of the year, the industry is grappling with a critical vulnerability: supply chain cyber risk. The new report, “The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024,” examines historical breach data and security ratings to provide insights for healthcare organizations to stop supply chain breaches.
In the wake of the Change Healthcare ransomware attacks, SecurityScorecard STRIKE threat analysts investigated the most critical risks faced by the 500 largest U.S. healthcare companies. Key findings underscored the sector’s solid security posture, with an average security score of 88. However, organizations holding a “B” rating were found to be 2.9 times more susceptible to data breaches compared to those with an “A” rating.
The report highlighted that healthcare leads among industries in third-party breaches, accounting for 35% of such incidents in 2023.The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.
Medical device and equipment companies, in particular, faced heightened risks, scoring 2-3 points lower than those of the overall healthcare sample and reporting a 16% higher rate of breaches and compromised machines than those in other healthcare sectors.
Application security issues are among the most significant flaws in healthcare attack surfaces – 48% of organizations scoring the lowest in this category. The software supply chain gives an attacker access to source code, build processes, pipeline tools, or software updates to carry the attack downstream to the supplier’s customers, which often implicitly trust the vendor and its systems.
Despite the escalating threat landscape, only 5% of healthcare organizations publicly reported breaches in the past year, with 6% detecting compromised machines on their networks in the past 30 days. Ransomware remains a top threat to the industry, as reflected in the public reporting on these attacks.
As a result of Change Healthcare costing some companies $1 million per day, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said, “One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure.”
The study analyzed security ratings and historical breach data of the 500 largest publicly traded healthcare companies in the United States, providing a comprehensive overview of the sector’s cybersecurity landscape.
Read also: NHS Cyber Attack: Stolen Blood test data allegedly published online
