Just about a year and a half after the U.S. Department of Health and Human Services Health Care Industry Cybersecurity Task Force deemed the sector’s cybersecurity in ‘critical condition,’ organizations are making strides in scanning and closing gaps. But the majority still struggle with employee awareness.

In fact, a new report from Veracode found that along with the retail industry, the healthcare sector is reducing its risk faster than other industries.

“Flaw persistence analysis shows that when looking at all found vulnerabilities, this industry is statistically closing the window on app risk more quickly than any other sector,” the report found.

High marks

The sector received high marks in many State of Software Security metrics. SOSS provides insights into common vulnerabilities and how organizations measure up to security industry benchmarks.

Veracode worked with Cyentia Institute better understand factors that go into fixing flaws. The report measured flaw severity, business criticality of applications and exploitability of the flaws.

Healthcare had the highest latest scan Open Web Application Security Project (OWASP) pass rates of all other verticals, at about a 55 percent pass rate. Other industries had about 28 percent.

The percent of applications in findings show that server configuration (78 percent), information leakage (67 percent) and cryptographic issues (47 percent) are the healthcare’s strongest areas.

“It takes just a little over seven months for healthcare organizations to reach the final quartile of open vulnerabilities, about eight months sooner than it takes the average organization to reach the same landmark,” the report found.

But the healthcare sector struggles in one major area: Apps are scanned infrequently and significantly lower than required. And it’s important to note that more than 85 percent of applications have flaws, with 13 percent rated critical, so frequent scans are critical to better response.

As seen with the global WannaCry and Petya attacks, failing to patch within a reasonable amount of time can lead to complete service disruption.

“The population of apps scanned was significantly lower than for first scan results,” the report authors wrote. “This indicates that healthcare organizations could be leaving some risk on the table with many applications scanned only a single time and subsequently ignored.”

Employees still lack awareness

Not only are infrequent scans leaving healthcare vulnerable, employees are still failing to grasp best practices that make healthcare organizations vulnerable to attack. The latest MediaPRO report found that 75 percent of employees lacked necessary security awareness, with 30 percent rated a risk.

MediaPRO asked 1,007 employees across seven sectors detailed security questions to rank their cybersecurity ability and understanding. They correctly answered fewer than 90 percent of the questions.

Even worse: The number of high-ranking heroes (those who correctly answered more than 90 percent of the questions) dropped to 25 percent, from 30 percent in 2017. The numbers are significantly worse than previous years. In 2017, just 19 percent of employees were rated a risk and 45 percent of employees were ranked novice.

The report found employees were struggling more than 2017 to identify physical security risks, reporting suspicious activity, recognizing malware infections, cloud computing security and a host of other issues. And 25 percent took risks when they worked remotely and on social media, up from just one-fifth in 2017.

But given the steady increase in phishing attempts this year, the increase in the number of employees who failed to identify potential phishing attacks is concerning. About 14 percent of respondents incorrectly answered phishing email questions, almost double from the results in 2017.

On the plus side, 8 out of 10 respondents could correctly identify a phishing email. But here’s the catch: 18 percent chose to open an unexpected attachment or click on a malicious link in the email. And finance employees are the most susceptible.

Employees are also failing to understand business email compromise, where 58 percent of respondents failed to correctly define the threat.

So what can be done?

To Theresa Payton, CEO of Fortalice Solutions, perhaps these numbers reflect an increase in the ability of hackers to trick employees.

“We've been saying [humans are the weakest link] for 15 years and the strategy doesn't work," Payton said at the HIMSS Security Forum. "From a social engineering standpoint, it has never been easier to trick employees. Business email compromise is one of the largest unreported crimes after ransomware."

Education is still crucial, but healthcare organizations need to focus on segmentation that will ensure that when an employee falls for a malicious email or a hacker gets into one of those unpatched vulnerabilities it’s contained.

Technology is made to be open and data can’t be 100 percent secure, so two-factor authentication with segmentation can minimize the risk.

“The threat landscape is changing so fast that we can’t keep up, but we can augment our responses,” Anahi Santiago, chief information security offer of Christiana Care Health System, said at the same event. “We can’t grow fast enough to do all we need to accomplish.”

So organizations should “automate menial tasks.”

“To research a particular phishing email, that’s very manual and takes a lot of time,” Santiago added. “To be able to automate could allow the team to do more of the sophisticated things. Automation is key.”

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com