Last week, we had the privilege of attending a Global Town Hall hosted by the Cyber Future Foundation (CFF), focused on cybersecurity in the healthcare sector. This was a valuable opportunity to discuss notable insights based on our data, as well as several of the critical trends we’re seeing in this field. Healthcare organizations are particularly vulnerable to risk due to the highly interactive nature of the industry: they require multiple connections with third- and fourth-party vendors; they house vast amounts of personal/sensitive data; they often rely on legacy and/or outdated IT systems; and they’ve rapidly turned to telemedicine and other connected devices. Cyberattacks on healthcare organizations are on the rise, and threat actors know that more connections in a network mean more opportunities for compromise. Organizations in the healthcare sector need a way to understand their security posture, and how it is impacted by the cyber health of the partners that connect to their systems.
Currently, however, there is no industry-wide standard for measuring the effectiveness of cybersecurity, which makes it difficult for healthcare organizations to accurately assess their risk. What’s more, many organizations rely on outdated or inadequate metrics, which don’t reflect their overall cyber posture. In all industries, there is an increasing trend towards developing more comprehensive measures of cybersecurity, taking into account factors such as: response times, recovery capabilities, and employee training efficacy.
SecurityScorecard was founded to provide an objective way to continuously measure, monitor, and report on risks facing global organizations. A lower score in our ratings methodology can be equated to a higher risk of breach and/or significant cyber incident. Put another way: a company with an F rating is 7.7 times more likely to suffer a cyber breach than a company with an A rating.
Third-party relationships in the healthcare sector
Our recent report with the Cyentia Institute found that, overall, healthcare organizations have relatively high security ratings, but their third parties are nearly seven times more likely to receive an F rating. Another recent analysis we did of the healthcare sector looked at 126 organizations and found that 33% had a security rating of C or lower, and 70% had at least one high severity common vulnerability and exposure (CVE). This means that nearly every healthcare organization is at least indirectly exposed to risk through circumstances outside their control. Organizations in this sector must be aware of the third- and fourth-party relationships they do have and begin putting rules and processes in place to ensure that those connection points stay secure. As a whole, we believe that healthcare organizations would benefit from improving their patching cadence, network security, application security, and DNS health.
As part of our mission to make the world a safer place, SecurityScorecard has partnered with 14 Information Sharing and Analysis Centers (ISACs) to support ISAC members and the collective supply chains they form. Our partnership with the Health Information Sharing and Analysis Centers (H-ISAC) has enabled us to share critical cyber threat information with key institutional partners in the healthcare field, while ensuring they have access to real-time data to monitor and protect critical assets.
The future of cybersecurity in healthcare
Looking ahead, we believe that automation will be key to the future of combating cyber incidents in the healthcare sector. Organizations can automate and scale many of the functions in their vendor risk management programs with security assessments, which complement security ratings for a complete inside-out view of vendor risk. Using automation and machine learning to validate vendor responses will shorten the assessment process by as much as 83% and free up IT staff to focus on more critical issues.
Overcoming the technical resource deficit will also be critical for the public sector in combating ransomware and other cyber incidents. To prevent ransomware attacks and other types of cyber intrusions, healthcare institutions must have up-to-date cybersecurity tools and universally adopted cyber hygiene practices. Continuous monitoring can identify the blind spots in your digital footprint and help protect the attack surface from every angle. In the event of a confirmed or suspected ransomware attack, our incident response and digital forensics teams provide support. Other offerings include Cyber Risk Intelligence as a Service (CRI) and Attack Surface Intelligence (ASI).
For more information on how to better secure your organization, visit SecurityScorecard.