Healthcare is leading the way in third-party data breaches, according to a new report
While the study spotlighted advances in cybersecurity in the healthcare sector – earning it a “better than expected” B+ security rating for the first half of 2024 – weaknesses in application and endpoint security pose a significant risk to the supply chain, SecurityScorecard said in a statement on Tuesday.
WHY IT MATTERS
SecurityScorecard, a supply chain cybersecurity company, said it examined the breach histories and security ratings of the 500 largest healthcare companies whose shares are publicly traded in the United States to provide the industry with insights that can help prevent third-party data breaches. fuses.
In the Cyber Risk Landscape of the US Healthcare Industry, 2024 survey, 9% of healthcare organizations surveyed had either a publicly reported breach in the past year or evidence of a compromised machine in the past 30 days – ‘if not both’ . the researchers said. Additionally, 2% had a publicly reported breach in the past year and a compromised machine in the past 30 days.
Meanwhile, healthcare companies had an average security rating of 88, according to SecurityScorecard threat analysts.
“Possible reasons for this variance include: our sample of large, publicly traded companies, which often have better security; and the majority of pharmaceutical and biotechnology companies in our sample,” they said.
Key findings in the report describe how cybersecurity challenges in healthcare surpass any other sector.
Application security issues are the most common sources of score-lowering risks, “but the severity of these issues is often low or moderate,” the analysts noted.
Although endpoint security issues generally had a lower impact on healthcare organizations’ scores, severity was high if they had a significant negative impact on a score compared to other factors contributing to lower security scores.
“Low endpoint security scores mainly result from using outdated web browsers; other endpoint security issues are much less common.”
Medical device manufacturers and distributors of medical equipment and supplies also had noticeably lower scores.
“We attribute this variance to differences in their attack surfaces, some of which may be more similar to those of non-healthcare manufacturers than those of other healthcare organizations,” the analysts said.
The report also touched on ransomware and how it could impact all four healthcare sectors, “not just the healthcare providers which are the best-known examples.”
Fraudulent use of patient data, the threat of exposing high-value pharmaceutical intellectual property to extortion and the disruption of business processes, “as in the case of Change Healthcare”, carry a high degree of risk, the analysts said.
Other sources of risk cited include specialized third-party platforms, the outsourcing of non-clinical business functions to third-party vendors, and the delegation of laboratory testing and diagnostic imaging to third-party healthcare providers.
THE BIG TREND
Last year, the Health 3rd Party Trust Initiative, which includes a spectrum of healthcare and security organizations such as HITRUST and CORL, found 55% of healthcare organizations have experienced a third-party breach since 2022 and called third-party risk management inadequate.
Health3PTs Best practices and implementation guide aims to create standards for the TPRM ecosystem and further improve efficiency and effectiveness by standardizing validated assurance mechanisms instead of one-off, self-validated questionnaires.
“We want to be a united front for third parties,” said John Houston, Chief Information Security Officer at UPMC Healthcare IT news. “I think this is a big part of it: being able to go to the industry and say, ‘This is what we expect from you.’ If a third party has our data, we expect this.”
ON THE RECORD
“A single point of failure like Change Healthcare, which was the foundation for medical claims processing, could cripple the entire healthcare ecosystem,” said Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, in the announcement of the report.
“And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risks. Together, we must identify and address individual points of failure.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.