News Feature | June 2, 2014

Healthcare Ranks Last In Cyber Security

Katie Wike

By Katie Wike, contributing writer

Cyber Security In Healthcare

Research shows the healthcare industry is lagging far behind others when it comes to cyber security.

A recent study conducted by BitSight Technologies has found healthcare and pharmaceuticals rank last when it comes to industry-wide cybersecurity. According to Becker’s Hospital Review, the study ranked four “critical” industries based on their security performances.

eWeek explains, “BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Industry ratings are calculated using a simple average of the security ratings of companies in that sector.”

Finance scored highest with an average security rating of 765. Despite multiple breaches, the events lasted the shortest amount of time (3.5 days) leading researchers to believe the finance industry is best equipped to deal with cyber threats. The utilities industry had an average rating of 751. The healthcare industry scored only a 660 average security rating and took more than five days to resolve problems.

"In our recent assessment of medical devices used in clinics and hospitals around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings," Chandu Ketkar, technical manager at Cigital, said in a statement. "These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients but also expose health care providers and device manufacturers to regulatory and business risks."

The problem may stem more from carelessness than outside attackers according to Michael Raggo, security evangelist at MobileIron.

"I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States," Raggo told Information Week. "That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect."