- Healthcare IT security is the worst of any sector when it comes to external security posture, according to a recent report by security advisory firm Coalfire.
The Coalfire Penetration Risk Report used customer penetration test data to analyze the security challenges within enterprises of various sizes and in different industries, including retail, healthcare, financial services, and technology industries, and compared the security posture between small, mid-sized, and large organizations.
In terms of external security posture, healthcare organizations had the highest level of severe issues in their external security posture, followed by tech, retail, and financial services. In terms of internal security posture, retail had the highest level of severe security issues, followed closely by healthcare, tech, and financial services.
Out-of-date software, insecure protocols, misconfiguration, and password flaws were found to be the greatest threats to external networks, while insecure protocols, password flaws, and patching flaws were the top vulnerabilities in internal networks, according to Coalfire.
The report confirmed the general impression that healthcare organizations are understaffed and underfunded when it comes to cybersecurity. These shortcomings prevent healthcare organizations from implementing in-depth strategies that limit cyberattack proliferation.
Healthcare organizations often have antiquated systems that do not support sophisticated cyber defenses but that contain highly sensitive and valuable information. “These systems become increasingly vulnerable when they communicate with other high-risk systems, amplifying their threat exposure,” the report observed.
Coalfire found that healthcare organizations, especially hospitals, have hundreds and sometimes thousands of high-risk connected devices that are unsupported, unpatched, and without basic security systems in place.
“Sometimes, the equipment is unpatchable, not built at its inception with adequate lifecycle management in mind. Patching, replacing, and upgrading equipment can be seen as disruptive to continuity of patient care, and consequently, these activities are often neglected,” the report observed.
The compromise of only one of these devices could allow an attacker into the network, since many of these organizations do not isolate or segment medical devices from the rest of the network.
“We often see highly confidential patient information in email, file and print servers, voice recordings, Access databases, and document libraries (like SharePoint). Because this data is unstructured and/or not accounted for in inventory, it often is not properly restricted or protected,” the report observed.
In addition, digital medicine is fueling the deployment of online healthcare platforms for accessing medical records, lab results, and online interactions with healthcare providers. While these will increase convenience for patients, they will also exacerbate existing data security problems unless healthcare organizations become more proactive, the report noted.
Coalfire recommended that healthcare organizations limit handling of ePHI only to systems that support strong security controls.
The report also found that large enterprises are not the best prepared to protect against cybercrime, despite having bigger budgets and more resources.
Although large organizations are best at protecting against phishing and other social engineering attacks, the report – which was based on more than 300 penetration tests in 148 companies – found a cybersecurity “sweet spot” among midsized businesses, which performed best at protecting their assets and mitigating their security risks in tests.
Across all sizes and sectors, however, people remain the biggest security weakness, whether through human error or creating opportunities for social engineering hacks, the report found.
Phishing was a highly successful “foot in the doorway” for attackers who use it as an entry point to infiltrate the organization, then pivot to navigate internally to escalate for greater control.
Organizations that have weaknesses often struggle with restrictive budgets, competing priorities, staffing shortfalls, and a lack of highly trained cybersecurity talent.
“While overall, our results have found that the midsized business is in the technological sweet spot, conversely, we can conclude that humans – employees, vendors and customers – still represent the greatest vulnerability as they are prone to social engineering techniques, shortcuts or inadvertent oversights in the IT/security management process,” said Coalfire Labs Vice President Mike Weber.
“Most organizations today, as they increasingly leverage the cloud and virtualization, concern themselves more with external network security than internal network defenses, creating significant internal security gaps and vulnerabilities that need to be addressed,” he concluded.