Healthcare Industry Gets a ‘B+’ on Cybersecurity for 2024

SecurityScorecard threat research spotlights the healthcare sector’s cybersecurity progress and uncovers significant supply chain risk

NEW YORK–(BUSINESS WIRE)–New SecurityScorecard threat research reveals that while the healthcare sector gets a “B+” security rating for the first half of 2024, it faces a critical vulnerability: supply chain cyber risk. The new report, “The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024,” examines historical breach data and security ratings to provide insights for healthcare organizations to stop supply chain breaches.




In the wake of the Change Healthcare ransomware attacks, SecurityScorecard STRIKE threat analysts investigated the most critical risks faced by the 500 largest U.S. healthcare companies.

Key Findings

Healthcare industry gets a B+: The U.S. healthcare industry’s security ratings were better than expected, with an average score of 88. However, there is still room for improvement: Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.

Healthcare Industry leads in third-party breaches: 35% of third-party breaches in 2023 affected healthcare organizations, outpacing every other sector. The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.

Medical device organizations have a higher risk of compromise: Medical device and equipment companies scored 2-3 points lower than those of the overall healthcare sample. These organizations also had a 16% higher rate of reported breaches and compromised machines than those in other healthcare sectors.

AppSec is the biggest attack surface threat: Application security issues are among the most significant flaws in healthcare attack surfaces – 48% of organizations scoring the lowest in this category. The software supply chain gives an attacker access to source code, build processes, pipeline tools, or software updates to carry the attack downstream to the supplier’s customers, which often implicitly trust the vendor and its systems.

Breaches remain low despite rising threats: 5% of healthcare organizations experienced publicly reported breaches in the past year, and 6% had evidence of a compromised machine on their networks in the past 30 days. Ransomware remains a top threat to the industry, as reflected in the public reporting on these attacks.

Concentrated cyber risk

As a result of Change Healthcare costing some companies $1 million per day, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said:

“One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure.”

Methodology

The research examines the security ratings and historical breach data of the 500 largest healthcare companies whose stock is publicly traded in the United States. See detailed methodology.

Additional resources

Download “The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024

To learn more about SecurityScorecard threat intelligence, visit our website.

About STRIKE

The STRIKE threat intelligence team combines unique threat intelligence, incident response experience, and supply chain cyber risk expertise. Backed by SecurityScorecard technology, STRIKE is a strategic advisor to CISOs worldwide, empowering the entire digital ecosystem to identify, measure, and resolve cyber risk.

About SecurityScorecard

Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.

Founded in 2014 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security ratings technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.

SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risks to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

Contacts

Media Contact
Ashley Nakano

SecurityScorecard

[email protected]

Subscribe on LinkedIn

Get the free newsletter

Subscribe to MedicaEx for top news, trends & analysis

We're committed to your privacy. MedicaEx uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Businesswire is solely responsible for the content of the above news submissions. If there are any violations of laws, violations of the membership terms of this website, or the risk of infringing on the rights of third parties, businesswire will be solely responsible for legal and damage compensation. Responsibility has nothing to do with MedicaEx.

Are you in?

Subscribe to receive exclusive content and notifications to your inbox

We're committed to your privacy. MedicaEx uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.