- User authentication deficiencies, endpoint leakage, and excessive user permissions are the three most common cyber risks facing health systems and hospitals, according to new data from Clearwater CyberIntelligence Institute.
The report reflected similar findings in a recent Crowe analysis that found access management will be one of the biggest health IT risk concerns across the healthcare sector in 2019.
Clearwater researchers analyzed data from by IRM Analysis, a database of millions of risk records accumulated over the last six years from NIST-based risk analyses of Clearwater customers. The data focused exclusively on risk profiles of hospitals, Integrated Delivery Networks, and business associates.
The researchers found the top three vulnerabilities accounted for nearly 37 percent of all critical risk scenarios. User authentication deficiencies topped the list, consisting of weaknesses in both identifying the user and verifying the level of access to an organization’s network.
Password strength requirements, single sign-on controls, and locking accounts after too many failed login attempts are the three primary risks around user authentication. These include generic password use, physically posting passwords on a workspace, and or unencrypted emailing of credentials over external networks, among others.
Authentication flaws are deemed critical, as it means an organization lacks the necessary security controls that would reduce the likelihood the flaw could be exploited, the researchers explained.
Servers and Software-as-Service tools are the media types most frequently associated with the vulnerability. Researchers suggested the organizations can reduce the risk by understanding the gaps in the security controls related to user authentication and the percentage of risks around the flaw, as the controls are highly effective in reducing the risk of exploitation.
Also notable: 90 percent of organizations reported having password or token management policies and procedures, but the organization lacked the technical implementation to render the tool useful.
“A discrepancy between policy and technical implication can put organizations at significant risk for civil monetary penalties in the event of breach-related investigation,” the researchers wrote.
To shore up some of these risks, the researchers recommended hospitals and health systems ensure a risk analysis has been performed around user authentication deficiencies. Officials should make sure the controls have been properly implemented, while assessing whether the risk ratings associated with the controls seem accurate.
Further, the providers should ensure remediation plans are in place around user authentication deficiencies.
“Hospital executives should direct their immediate attention to these three top vulnerabilities and consider action to reduce their organization’s risk profile,” Jon Stone, ClearWater CCI Leader and Senior Vice President for Product Innovation, said in a statement.
“It is critically important that hospitals and health systems evaluate their organization’s information systems to determine their specific risk ratings on these three critical vulnerabilities and take the necessary steps to close any gaps,” he added.