Health Care IT Security Challenged by Phishing Attacks

The heath care community is facing a serious crisis when it comes to dealing with cyber-security issues, according to an UpGuard report covering more than 500 health care companies.

The results, part of a larger report to be released at the end of the year that audits more than 7,000 companies across other key sectors, uses UpGuard’s CSTAR score, a single measure of a company’s cyber-security risk indexed on a 0-950 scale, to evaluate health care companies across various sectors, from health insurers to pharmaceutical companies to hospitals.

Companies across all industries in the health care sector posted low CSTAR scores—under 500—placing all in the warning range of scores.

With an overall average score of 420—rather abysmal on a scale of 0-950—these poor scores show the extent of the vulnerabilities in this sector.

“Because the operators of information systems cannot trust the state of their machines, they inevitably experience outages and data breaches,” the report noted. “Because insurers cannot trust the assessment of those systems and the application of existing laws to cyber-assets, they cannot price cyber-insurance policies with sufficiently high limits.”

In particular, phishing, which involves the sending of malicious emails that appear to come from a legitimate source, is a common tactic used by hackers to steal data.

While there are free and easy-to-use mechanisms available that combat phishing by checking the validity of emails before they reach a human target, including Sender Policy Framework (SPF) and Domain-Based Message Authentication, Reporting & Conformance (DMARC), the CSTAR report found that more than one-third (35 percent) of companies still do not have SPF records established and only 7 percent have implemented DMARC.

The data indicates that while the companies with the most income are the best protected in terms of cyber-security, there is a dip in scores in the middle that rises again for those with the lowest income.

The report noted this soft spot may indicate an explanation for the widespread targeting of mid-sized hospitals by hackers in the past year.

In 2015 alone, 113 million medical records were compromised—the massive Anthem breach made up about 80 percent of those—and it’s estimated that breaches in this sector could be costing the health care industry as much as $6.2 billion, according to a recent Ponemon report.

The UpGuard report shows that while most CSTAR ratings across the states are in a gradually ascending middle ground between 350-450, there are significant outliers.

At either end of the spectrum, two states stand out: Utah and Maine score high at 597 and 613 respectively, while New Mexico and Delaware score 209 and 224. Delaware, the home of incorporation, is particularly worrying.