Study: Healthcare staff lacking in basic security awareness, putting medical infrastructure at risk

Security is only as strong as the weakest link, and employees are often it when it comes to phishing, spear-phishing and other social engineering attacks, SecurityScorecard finds.
By Bill Siwicki
09:27 AM

Among all industries, healthcare ranks 15th out of 18 in social engineering for security, suggesting a security awareness problem among healthcare professionals that could be putting millions of patients at risk, according to the 2016 Healthcare Industry Cybersecurity Report from SecurityScorecard, vendor of a security risk monitoring platform.

The report studied 700 healthcare organizations, including medical treatment facilities, health insurance companies and healthcare manufacturing companies.

The Verizon Data Breach Report ranks social engineering as the third most common cause for breaches, a number that is rising at the same rate as hacking and malware.

Security breaches in healthcare can pose devastating consequences because they can render an entire system or network inoperable, potentially creating a life-or-death situation that requires immediate attention.

"The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient," said Alex Heid, chief research officer at SecurityScorecard.

"Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear-phishing and other social engineering attacks," he added. "For a hacker, it only takes one piece of information such as learning the e-mail structure of an organization to exploit an employee into divulging sensitive information or providing an access point into that organization's network."

[Also: Phishing attack at Baystate Health puts data of 13,000 patients at risk]

Another security risk is the array of devices with wireless capabilities such as Internet of Things devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups, SecurityScorecard said.

"As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center or individual using the device," Heid explained. "If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network."

The 2016 Healthcare Industry Cybersecurity Report also found:

  • More than 75 percent of the entire healthcare industry has been infected with malware during the last year. 96 percent of all ransomware targeted medical treatment centers.
  • Healthcare manufacturing reaches a 90 percent malware infection rate.
  • 63 percent of the 27 biggest U.S. hospitals have a grade of C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion.
  • Healthcare has the 5th highest count of ransomware among all industries.
  • More than 50 percent of the healthcare industry has a network security score of a C or lower.

Twitter: @SiwickiHealthIT
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.