‘B+’ score for cybersecurity for healthcare

Following the Change Healthcare ransomware attacks, SecurityScorecard's STRIKE threat analysts assessed the cybersecurity risks of the 500 largest US healthcare companies, revealing key vulnerabilities and the need for improved third-party risk management and application security.

What happened 

In the first half of 2024, the healthcare sector in the US has been awarded a security rating of "B+"; however, a significant vulnerability exists in the form of a supply chain cyber risk. A report titled "The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024" analyzes past data on breaches and ratings related to security and provides valuable perspectives to healthcare organizations with regard to stopping untoward incidents concerning their supply chains.

Key findings of the Cyber Risk Landscape of the US Healthcare Industry, 2024 report

Businesswire summarized the key findings of the report as follows:

• “Healthcare industry gets a B+: The U.S. healthcare industry's security ratings were better than expected, with an average score of 88. However, there is still room for improvement: Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.
• Healthcare Industry leads in third-party breaches: 35% of third-party breaches in 2023 affected healthcare organizations, outpacing every other sector. The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.
• Medical device organizations have a higher risk of compromise: Medical device and equipment companies scored 2-3 points lower than those of the overall healthcare sample. These organizations also had a 16% higher rate of reported breaches and compromised machines than those in other healthcare sectors.
• AppSec is the biggest attack surface threat: Application security issues are among the most significant flaws in healthcare attack surfaces – 48% of organizations scoring the lowest in this category. The software supply chain gives an attacker access to source code, build processes, pipeline tools, or software updates to carry the attack downstream to the supplier’s customers, which often implicitly trust the vendor and its systems.
• Breaches remain low despite rising threats: 5% of healthcare organizations experienced publicly reported breaches in the past year, and 6% had evidence of a compromised machine on their networks in the past 30 days. Ransomware remains a top threat to the industry, as reflected in the public reporting on these attacks.”

The report emphasizes the importance of enhancing supplier oversight and cybersecurity measures to mitigate concentrated cyber risks. Ryan Sherstobitoff highlighted the critical nature of monitoring supply chain risks to prevent single points of failure from crippling the healthcare ecosystem.

The study used security ratings and historical breach data of the 500 largest publicly traded healthcare companies in the U.S. for its analysis. SecurityScorecard aims to improve global cybersecurity through its ratings technology and strategic threat intelligence services.

See also: 

• What is cybersecurity in healthcare?
• Cybersecurity insights and trends for 2024
  
  

What was said?

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, told Businesswire that “one single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure.”

Learn more: UnitedHealth confirms scope of Change Healthcare attack

In the know

SecurityScorecard is a global leader in cybersecurity ratings, providing organizations with comprehensive assessments of their security posture. Founded in 2014, it rates over 12 million companies worldwide, offering insights for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard's ratings are used to identify vulnerabilities, assess the security of supply chains, and take proactive measures against potential threats.

Backed by prominent investors such as Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, and Riverwood Capital, SecurityScorecard empowers the digital ecosystem to address and resolve cyber risks effectively. Its technology and threat intelligence services aim to enhance global cybersecurity standards, providing organizations with the tools to build resilient defenses, maintain regulatory compliance, and foster trust among stakeholders. The company also achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, underscoring its commitment to robust security practices.

Why it matters 

SecurityScorecard transforms how organizations understand, improve, and communicate cybersecurity risks. It provides comprehensive cybersecurity ratings and insights that help organizations manage enterprise risk, third-party risk, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.

A B+ score indicates that a healthcare organization has relatively good security practices but still has room for improvement. Specifically, it suggests that the organization is more susceptible to data breaches compared to those with higher ratings. According to the report, organizations with a B rating are 2.9 times more likely to experience data breaches than those with an A rating. Therefore, while a B+ score reflects above-average security performance, it also highlights the need for ongoing vigilance and enhancement of security measures to reduce the risk of cyber incidents.

FAQs

How does SecurityScorecard work?

SecurityScorecard collects data from various sources to evaluate an organization's security across multiple categories, such as network security, application security, and endpoint security. These evaluations are then compiled into a score ranging from A to F, providing a clear picture of the organization's cybersecurity health.

What are the different SecurityScorecare ratings, and what do they mean?

SecurityScorecard ratings range from A to F:

• A: Excellent security posture, minimal risk of breaches.
• B: Good security posture but higher risk than A-rated organizations.
• C: Moderate security posture; significant improvements are needed.
• D: Poor security posture, high risk of breaches.
• F: Very poor security posture, very high risk of breaches.

What are the key benefits of using SecurityScorecard?

• Risk identification: Identify and mitigate security risks.
• Benchmarking: Compare your security posture with industry peers.
• Regulatory compliance: Ensure compliance with cybersecurity regulations.
• Supplier risk management: Assess and manage the security of third-party vendors.
• Strategic planning: Inform cybersecurity strategies with data-driven insights.