Healthcare’s Strong Network Security May Reflect Outdated Model

March 20, 2019 - The healthcare industry ranks fifth for network security when compared to other major U.S industries, according to 2019 Healthcare Cybersecurity Report by SecurityScorecard.

This was the strongest showing for healthcare in the six security categories the report examined: overall security, application security, domain name system (DNS) health, endpoint security, network security, and patching cadence.

The report said that the industry’s network security strength stems from the use of firewalls and network segregation to comply with HIPAA requirements.

While a strong showing in network security may seem like a good thing, it indicates to SecurityScorecard analysts that the industry employs an outdated “eggshell security model,” in which a hardened perimeter defends a soft, vulnerable internal network.

For the 2019 report, SecurityScorecard looked at 26,204 companies from September 2, 2018, to January 28, 2019, and analyzed terabytes of information to assess security.

In terms of overall security, the healthcare industry was in the middle, ranking eighth out of 18 major industries reviewed. However, it lagged behind other highly regulated industries, such as financial services and pharmaceuticals.

“Whether from a data protection or compliance perspective, the lack of effective controls continues to be a challenge for the healthcare industry,” the report observed.

Healthcare At Risk for DNS Hijacking 

Healthcare ranked a dismal thirteenth in DNS security, making it a prime target for DNS hijacking attacks. These attacks involve cybercriminals changing DNS records and re-routing web and email traffic. 

The healthcare industry ranked a respectable eighth in application security. Internet of Things devices often use insecure embedded applications, so the rise of networked medical devices could place patients and their data at risk.

“The healthcare industry’s reliance on embedded applications within IoT medical devices creates a vulnerable ecosystem whereby attackers can leverage multiple exploitable vectors to obtain access to confidential data,” the report observed.

Healthcare ranked a disappointing twelfth for endpoint security.

“Organizations in the healthcare industry remain consistently overwhelmed by the large number of endpoints, stagnating their cyber security,” the report warned.

The healthcare industry ranked tenth for patching cadence. “The healthcare industry isn’t unique in struggling with patching cadence … many major corporations have difficulty maintaining proper patching.”

SecurityScorecard explained that many companies delay patching because updating software requires system downtime and the significant use of IT resources. Many IT teams are worried about “bricking” the system with an untested patch.

“Unfortunately, hackers study the release of patched vulnerabilities and take advantage of gaps in security update times. Delaying critical patch deployments creates opportunities that can lead to data breaches,” the report related.

Some companies lack engineering resources to keep up with patching and to respond to problems that patches cause. Smaller companies may not realize that they need to deploy patches.

In addition, the number of ongoing patches can paralyze an IT team, preventing them from deploying the most pressing patches. This can open companies to data breaches, regulatory fines, and lawsuits.

Healthcare's Security Struggles

“The healthcare industry continues to struggle with security data environments and ecosystems, leading to data breaches and HIPAA violations, as well as other regulatory and industry standards compliance issues,” commented SecurityScorecard VP of Compliance Fouad Khalil.

“The risk of ePHI [electronic protected health information] exposure and unauthorized access is an increasing trend year after year,” he said.

Khalil cited statistics from OCR, which showed that a total of 195 million healthcare records have been breached since 2009, representing 59.8 percent of the US population. Last year, OCR issued ten financial penalties for HIPAA violations.

“A point-in-time compliance stance is no longer sustainable. Healthcare organizations must adopt continuous assurance practices to maintain compliance and adequately protect data,” he observed.

“Additionally, covered entities must implement best practices for business associate agreements to avoid civil and criminal HIPAA enforcement penalties. Continuously monitoring business associate security and privacy programs is as critical as monitoring your own,” he added.