Report: Healthcare and Pharma Cybersecurity Ratings Poor
A new report by security ratings firm BitSight Technologies shows that out of four key industries -- finance, utilities, retail, and healthcare -- healthcare and pharmaceuticals companies have the worst cybersecurity ratings.
"Based on our analysis, it is clear that organizations that treat cybersecurity as a strategic issue perform better than those that view it as a tactical one," said BitSight co-founder and CTO Stephen Boyer. "This partially explains the superior Security Ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and healthcare companies."
The study, based on S&P 500 companies, ranked sectors with a security rating between 250 and 900, with the higher score correlating to a higher security rating. The healthcare and pharma sector scored an average of 660. Retail came in second-to-last with an average of 685 and a decline in performance over the last year. Finance, meanwhile, was the highest, with a score of 765, followed by utilities with 751.
BitSight noted that the healthcare industry is a frequent victim of cybercrime but has a slow response time. BitSight noted that the healthcare and pharma sector saw the biggest increase in the number of cyber incidents during the time period observed.
Boyer explains that one of the reasons hackers love to target the healthcare industry is because medical information is incredibly valuable. According to Boyer, medical records can go for $20 on the black market, while a credit card fetches a single, measly dollar.
BitSight also found that many healthcare companies had a poor IT infrastructure, and that IT workers in the healthcare industry were paid less than IT workers in other sectors. All of this is compounded by the shift in the medical industry to move records online and services like Healthcare.gov. The report found that 23 percent of attacks on the healthcare industry were Zeus, with 14 percent being Spambot, and 13 percent Conficker. Expiro and PushDo accounted for 7 percent, and other random malwares made up the last 26 percent.
"In our recent assessment of medical devices used in clinics and hospital around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings," said Chandu Ketkar, technical manager at consulting firm Citigal. "
"These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks."
For more stories like this, follow us on Twitter!