Poor patching, user education leave healthcare providers sitting ducks for cyber attacks

Despite the masses of highly sensitive data that healthcare companies manage, new analysis has warned that chronically poor endpoint security, weak patching practices and high exposure to social engineering make the industry one of the worst-performing sectors when it comes to protecting data.

That’s a worrying finding for a sector that has long thrived on innovation and is actively seeking new ways to exploit data to improve its service delivery and treatment outcomes. Private health fund HCF, for one, last week announced the latest cohort in its Catalyst incubator program, which provides backing and exposure for med-tech startups like patient-consent provider Pracway, digital health sleep program firm SleepFit, telehealth midwifery provider Birthbeat, virtual reality medical imaging provider Vantari, AI-based health-insurance interface Boundlss, and more.

Yet despite this culture of innovation, the everyday practice of healthcare information security is struggling, according to SecurityScorecard’s latest research into healthcare security practices.

The firm’s analysis, contained in its 2018 Healthcare Cybersecurity Report, ranked healthcare 15 out of 18 industries in terms of overall information security practices. Only pharmaceutical, telecommunications, and education providers fared worse, with food and financial-services companies turning in the best overall scores.

Continued exposure to social engineering attacks – healthcare also ranked 16 out of 18 on this measure – reflected poor staff training about how to spot and avoid such compromises. And healthcare companies were ranked 16 out of 18 in terms of endpoint security, with 60 percent of the most common cybersecurity issues related to poor patching.

The firm warned that “poor patching cadence” – the failure to apply patches in a timely way after they become available – was a universal and damaging issue.

Some companies lacked the resources to introduce patches, while others didn’t have enough resources to deal with the issues that patches cause. Many others, the report’s authors warned, didn’t even know that the vulnerabilities exist – suggesting a procedural failure that is a lead indicator of problems in meeting basic data-protection compliance requirements.

"Last year took a toll on the overall cybersecurity confidence in healthcare organizations, with dozens of ransomware attacks, and data breaches. It's no surprise that our research team found healthcare organizations are behind in proper network and endpoint security protocols," said SecurityScorecard CTO Jasson Casey in a statement.

"As we move through 2018, healthcare organizations need to get back to the fundamentals of good cybersecurity hygiene by keeping up with patching schedules and outfitting the organization with enough personnel to accomplish this goal."

Poor patching practices are not uncommon, and the sheer volume of vulnerabilities keeps patching as a major issue for nearly every company – particularly when major vulnerabilities like this year’s Meltdown and Spectre bugs threaten serious issues from both the vulnerability and the cure.

There are many thoughts about how to establish good patch management practices – and, interestingly, research suggests that high-profile vulnerabilities with catchy names get patched more readily than those with obscure identifiers.

Yet with patch management long identified as a crucial baseline practice for any good security environment, vendors have been looking for ways to streamline the process. And service-management firm ManageEngine this month offered its own solution, delivering a cloud-based version of its Patch Manager Plus tool that compares an inventory of currently-installed software against a continually-updated, cloud registry of vulnerabilities and patches.

The idea is to take the guesswork out of a practice that has,President of Zoho Corporation, Raj Sabhlok, told CSO Australia, been “a little haphazard over the last few decades.”

“As big breaches and blow-ups have happened on the security front, patch management is front and centre,” he continued. “But IT is a little deer-in-the-headlights now. And the problem is exacerbated when you fall really behind: when people are just not up to date on their environments, cybercriminals will take advantage.”

Healthcare organisations have increased their security spending in the face of chronic issues with lost devices and a number of unique security challenges that have long left them exposed to targeting by cybercriminals that, for example, stole 113m healthcare records in 2015 alone. Healthcare records – which can often support identity theft or other crimes – widely sold on the Dark Web for often very low prices.