The healthcare industry has become a critical focus for cyber threats, and recent insights from SecurityScorecard’s report, The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024, reveal concerning trends and actionable recommendations. This article highlights key findings and their implications for medical device manufacturers and healthcare organizations.
Healthcare Security Scores: Room for Improvement
While the U.S. healthcare industry’s security ratings are better than expected, with an average score of 88 (equivalent to a B+), there’s still significant room for growth. Organizations with a B rating are 2.9 times more likely to experience data breaches than those with an A rating. This underscores the need for proactive measures to elevate security postures across the sector.
Third-Party Breaches: A Pressing Concern
In 2023, 35% of third-party breaches targeted healthcare organizations, making the sector the leader in this unfortunate category. The supplier ecosystem—rife with interdependencies—is a prime target for ransomware groups. A single vulnerability in a vendor’s system can potentially compromise hundreds of organizations. The February 2024 BlackCat ransomware attack on Change Healthcare exemplified this risk, disrupting payment processes and exposing systemic vulnerabilities.
Medical Device Organizations: Elevated Risks
Medical device and equipment companies within healthcare are at even greater risk. These organizations scored 2-3 points lower than the overall healthcare average and reported a 16% higher rate of breaches and compromised machines. This disparity highlights the urgency for these entities to prioritize cybersecurity initiatives.
Application Security: The Largest Attack Surface
Application security (AppSec) issues emerged as the most significant flaws in healthcare attack surfaces, with 48% of organizations scoring the lowest in this category. Attackers often exploit the software supply chain—including source code, build processes, and software updates—to infiltrate vendor networks and downstream customers. Strengthening AppSec is vital to mitigating these risks.
Breaches and Threats: A Mixed Landscape
Despite increasing threats, only 5% of healthcare organizations reported public breaches in the past year, while 6% had evidence of compromised machines within the past 30 days. Ransomware remains the dominant threat, with healthcare being a preferred target for cybercriminals due to its critical role in patient care.
Addressing the Challenges
The findings from SecurityScorecard emphasize the interconnected nature of healthcare systems and the high stakes involved. To reduce risks, healthcare organizations can consider the following actions:
- Enhance Third-Party Risk Management: Implement robust vendor assessments and continuous monitoring to detect and mitigate vulnerabilities in the supply chain.
- Strengthen Application Security: Prioritize AppSec by securing pipelines, reviewing source code, and deploying trusted updates.
- Elevate Overall Cyber Hygiene: Strive for higher security ratings by addressing vulnerabilities and adopting best practices for comprehensive cybersecurity.
Vigilant Ops also recommends adopting and managing Software Bill of Materials (SBOM) for both medical device manufacturers and healthcare delivery organizations. Modern SBOM lifecycle management platforms, like Vigilant Ops, automate tasks like component tracking, vulnerability assessments, and compliance reporting, allowing organizations to focus on innovation while staying secure.
Stronger security in healthcare requires actionable insights and collaborative efforts across the industry. Reports like this help highlight critical issues and inspire organizations to take meaningful steps toward improved cybersecurity resilience.
To read SecurityScorecard’s full report, visit their website here.
