In a statement Tuesday, SecurityScorecard said that while the study highlights the healthcare sector’s cybersecurity progress – giving the industry a “better than expected” B+ security rating for the first half 2024, but weaknesses in application and endpoint security pose significant risks to the supply chain.
WHY IT MATTERS
SecurityScorecard, a supply chain cybersecurity company, said it examined the breach histories and security ratings of the 500 largest publicly traded healthcare companies in the United States to provide providing industry with insights that can help prevent third-party data breaches.
In the US Healthcare Cyber Risk Landscape, 2024 study, 9% of healthcare organizations examined had a publicly reported breach in the past year or evidence of compromised machines. entered in the past 30 days — “if not both,” the researchers said. Additionally, 2% had a publicly reported breach in the past year and a machine compromised in the past 30 days.
Meanwhile, healthcare companies have an average security rating of 88, according to SecurityScorecard threat analysts.
“Possible reasons for this difference include: our sample includes large, publicly traded companies, which typically have better security,” they said. and the majority of pharmaceutical and biotechnology companies in our sample.”
Key findings in the report detail how cybersecurity challenges in the healthcare sector far exceed every other sector.
Analysts found Application Security issues to be the most common source of degrading risk, “but the severity of those issues is typically low or moderate.”
While endpoint security issues typically have a lower impact on a healthcare organization’s score, when they have a significant negative impact on the score, the severity is high compared to other factors. Other factors contribute to lower security scores.
“Low endpoint security scores primarily stem from using outdated Web browsers; other endpoint security issues are much less common.”
Medical device manufacturers and distributors of medical equipment and supplies also scored significantly lower.
“We attribute this difference to differences in their attack surfaces, some of which may be similar to those of non-healthcare manufacturers,” the analysts said. healthier than other health care organizations.
The report also covers ransomware and how it can affect all four healthcare sectors, “not least healthcare providers as the most famous examples.”
Fraudulent use of patient data threatens to expose highly valuable pharmaceutical intellectual property for extortion and disrupt business processes, analysts said, “as in the case of Change Healthcare”, has a high level of risk.
Other sources of risk noted include specialized third-party platforms, outsourcing of non-clinical business functions to third-party vendors, and commissioning of laboratory tests laboratory and diagnostic imaging to third-party care providers.
THE BIGGER TREND
Last year, the Health 3rd Party Trust Initiative, which includes many security and healthcare organizations such as HITRUST and CORL, said 55% of healthcare organizations had experienced a breach of third parties from 2022 and considers that third party risk management is inadequate.
Health3PT’s Recommended Practices & Practices Guide aims to create standards for the TPRM ecosystem and further enhance efficiency and effectiveness by standardizing validated assurance mechanisms instead of One-time self-attested questionnaire.
“We want to be a united front with third parties,” said John Houston, chief information security officer at UPMC. Healthcare IT news. “I think this is an important part of it — being able to come to the industry and say, ‘This is what we expect of you.’ When third parties have any of our data, this is what we expect.”
ON PROFILE
“A single point of failure, like Change Healthcare, strengthens medical claims processing,” Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, said in announcing the report. , could cripple the entire healthcare ecosystem.”
“And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
