Health Care Lags Financial Sector in Security Effectiveness

A BitSight report reveals security effectiveness in the health care industry lags far behind other sectors such as utilities or finance.

health care and IT security

The health care and pharmaceuticals sector has many of the same characteristics as the retail sector, including a high volume of security incidents and slow response times, according to a report from BitSight Technologies.

The average rating in the health care industry was 660. Like the retail sector, the spread in performance across the industry is large, indicating that there are many companies that are seriously underperforming.

BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Industry ratings are calculated using a simple average of the security ratings of companies in that sector, a company statement explained.

The average number of days between the first time BitSight observes an event to the last time, also known as the event duration, is longer than any other industry, at 5.3 days.

The sector also saw the largest percentage increase in the number of security incidents observed by BitSight over the time period.

"In our recent assessment of medical devices used in clinics and hospitals around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings," Chandu Ketkar, technical manager at Cigital, said in a statement. "These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients but also expose health care providers and device manufacturers to regulatory and business risks."

The report noted that both the health care and retail sectors lag behind the finance and utilities sectors in security performance.

The average rating in the finance industry was 765, the highest of all industries analyzed, despite an increase in the number of observed incidents, and the finance industry had the shortest average event duration, suggesting this sector is quicker to detect and respond to cyber-threats than others.

Similar to finance, the generally positive security performance in the utilities industry is likely the result of both executive-level focus on cyber-risk as well as industry regulation.

The average rating was 751 for the utilities industry and, similar to the financial sector, the range of ratings within the utilities vertical is relatively narrow, indicating that the majority of companies are high performers.

"Based on our analysis, it is clear that organizations that treat cyber-security as a strategic issue perform better than those that view it as a tactical one," Stephen Boyer, BitSight co-founder and chief technology officer, said in a statement. "This partially explains the superior security ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and health care companies."