B+ security rating masks healthcare supply chain risks
While the healthcare sector gets a “B+” security rating for the first half of 2024, it faces a critical vulnerability: supply chain cyber risk, according to SecurityScorecard.
The US healthcare industry’s security ratings were better than expected, with an average score of 88. However, there is still room for improvement: Organizations with a B rating are 2.9x times more likely to be victims of data breaches than those with an A rating.
Healthcare industry leads in third-party breaches
35% of third-party breaches in 2023 affected healthcare organizations, outpacing every other sector. The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.
Ransomware and other attacks on medical device manufacturers can expose patients’ PII and protected health information (PHI). Manufacturers may have PHI/PII on patients who receive their devices, such as implants or prosthetics. For example, LockBit ransomware operators compromised Livanova, a manufacturer of cardiac and neuromodulation devices, in October 2023, and compromised data on as many as 180,000 US patients.
Pharmaceutical companies can also become ransomware targets. The often high value of pharmaceutical IP can leave them more vulnerable to the data disclosure extortion that has become a common feature of ransomware attacks.
Medical device and equipment companies scored 2-3 points lower than those of the overall healthcare sample. These organizations also had a 16% higher rate of reported breaches and compromised machines than those in other healthcare sectors.
Breaches remain low despite rising threats
Application security issues are among the most significant flaws in healthcare attack surfaces – 48% of organizations scoring the lowest in this category. The software supply chain gives an attacker access to source code, build processes, pipeline tools, or software updates to carry the attack downstream to the supplier’s customers, which often implicitly trust the vendor and its systems.
5% of healthcare organizations experienced publicly reported breaches in the past year, and 6% had evidence of a compromised machine on their networks in the past 30 days. Ransomware remains a top threat to the industry, as reflected in the public reporting on these attacks.
As a result of Change Healthcare costing some companies $1 million per day, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue.
“One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure,” said Ryan Sherstobitoff, SVP of Threat Research and Intelligence, SecurityScorecard.