Healthcare leads in third-party data breaches, says new report
Photo: Morsa Images/Getty Images
While the research spotlighted the healthcare sector’s cybersecurity progress – earning it a "better than expected" B+ security rating for the first half of 2024, weaknesses in application and endpoint security present significant supply chain risk, SecurityScorecard said in a statement Tuesday.
WHY IT MATTERS
SecurityScorecard, a supply chain cybersecurity firm, said it examined breach history and security ratings of the 500 largest healthcare companies whose stock is publicly traded in the United States to provide the industry with insights that could help stop third-party data breaches.
In the Cyber Risk Landscape of the U.S. Healthcare Industry, 2024 study, 9% of the healthcare organizations examined had either a publicly reported breach in the past year, or evidence of a compromised machine in the past 30 days – "if not both," the researchers said. In addition, 2% had a publicly reported breach in the past year and a compromised machine in the past 30 days.
Meanwhile, the healthcare companies had an average security rating of 88, according to SecurityScorecard's threat analysts.
"Possible reasons for this variance include: our sample of large, publicly traded companies, which often have better security; and the majority of pharmaceuticals and biotechnology companies in our sample," they said.
Key findings in the report detail how healthcare cybersecurity challenges outpace every other sector.
Application Security issues are the most common sources of score-lowering risk, "but the severity of those issues is often low or medium," the analysts found.
While endpoint security issues generally had a lower impact on healthcare organization scores, when they did have a significant negative impact on a score, severity was high compared to other factors contributing to lower security scores.
"Low endpoint security scores stem mostly from the use of outdated Web browsers; other endpoint security issues are much less common."
Manufacturers of medical devices and distributors of medical equipment and supplies also had noticeably lower scores.
"We attribute this variance to differences in their attack surface, some of which may resemble those of non-healthcare manufacturers more than those of other healthcare organizations," the analysts said.
The report also addressed ransomware and how it can affect all four healthcare sectors, "not just the care providers that have been the most well-known examples."
Fraudulent uses of patient data, the threat of exposing high-value pharmaceutical intellectual property for extortion and the disruption of business processes, "as in the case of Change Healthcare," present a high degree of risks, the analysts said.
Other sources of risk noted include specialized third-party platforms, the outsourcing of nonclinical business functions to third-party vendors and the delegation of lab tests and diagnostic imaging to third-party care providers.
THE LARGER TREND
Last year, the Health 3rd Party Trust Initiative, which comprises a spectrum of healthcare and security organizations such as HITRUST and CORL, said that 55% of healthcare organizations experienced a third-party breach since 2022 and called the third-party risk management inadequate.
Health3PT's Recommended Practices & Implementation Guide is intended to create standards for the TPRM ecosystem and further improve efficiency and effectiveness by standardizing validated assurance mechanisms instead of one-off self-attested questionnaires.
"We want to be a united front to third parties," John Houston chief information security officer at UPMC told Healthcare IT News. "I think this is a huge part of it – being able to go to the industry and say, 'This is what we expect of you.' When a third party has any of our data, this is what we expect."
ON THE RECORD
"One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem," Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, said in the report announcement.
"And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.