Frankenstein approach to cybersecurity renders healthcare organizations dead last at fixing vulnerabilities

The biggest problem? Outdated IT and tight budgets make it hard to fend off growing throngs of hackers.
By Jessica Davis
12:14 PM
Share
Healthcare last security vulnerabilities

Not only does the healthcare industry have the highest occurrence of cybersecurity mishaps of all industries, it also ranks at the bottom for its ability to fix software vulnerabilities and a big part of the problem is credential, identity and access management, according to security specialists.

Significant vulnerabilities lie within credential management, cryptographic issues, information leakage, code quality and insufficient input validation, security firm Veracode noted in its seventh annual State of Software Security report, which also determined the aforementioned ranking of healthcare as last among industries. 

As safety of patient data under HIPAA is a major healthcare industry concern and more organizations are held accountable for HIPAA compliance violations, flaws within the cryptographic arena and credential management demonstrate the need for better security in these areas.

“If you look at the health sector and the executives and managers: They’re not equipped in this day and age to prevent threats,” ICIT Researcher James Scott said. “Board members and executives within the healthcare industry don’t care enough about cyber hygiene because it doesn’t have a solid return on investment.” 

[Also: Hack-proofing ID and access management]

When it comes to testing and passing software vulnerability scans, the government has the lowest pass rate (75 percent), but the healthcare industry edges in at a close second with 67 percent of organizations not passing, the Veracode report found.

What’s most concerning about healthcare’s bottom-rung performance is that it’s behind the top performing industry, manufacturing, by a two-to-one ratio on its fix rates.

Adding to the issue, Scott explained, is that healthcare has applied ‘Frankenstein’ technique to its IT programs, with outdated technology that was never meant to be networked. And many of these hospitals lack funding or simply don’t designate budgets to cover security improvements.

Veracode’s researchers generated the report metrics from real application risk postures taken from code-level analysis of billions of lines of code gathered over 18 months. The statistics of the report are based on software never before scanned for security flaws.

This data, particularly when taking into account ICIT’s recent report on how hackers are increasingly targeting the healthcare sector, verify security executives need to shift their focus to these vulnerabilities. Cybercriminals are targeting healthcare because systems aren’t properly secured.

“The health sector is one of those critical infrastructure silos, but they flat out refuse to adapt to the imminent threats,” Scott said. While the financial sector completely overhauled its system after the most prominent attacks, like Target, healthcare has yet to make that priority shift.

“Once an attacker knows that a system exists and that it can be remotely accessed, they compromise it by leveraging an exploit against a discovered vulnerability,” according to the ICIT report. “If a seller can gain rudimentary access to a network, then they can laterally move to systems that contain valuable information.” 


 The HIMSS and Healthcare IT News Privacy & Security Forum in Boston takes place Dec. 5-7, 2016. What to expect: 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks

⇒ Security budgets grow but breaches continue unless hospitals adopt best practices
Think offshoring PHI is safe? You may not be covered if a business associate breaches data


Like Healthcare IT News on Facebook and LinkedIn