Third-party data breaches continue to disproportionately affect healthcare

Third-party data breaches have been a top concern for healthcare cybersecurity leaders in recent years, following a string of high-profile cyberattacks across the healthcare supply chain.

Threat research from SecurityScorecard, a company that provides cybersecurity ratings for corporations, showed that 35% of third-party breaches that occurred in 2023 affected healthcare organizations, overtaking all other sectors.

SecurityScorecard analyzed the security ratings and historical breach data of the 500 largest US healthcare companies to glean insights into the sector’s top risk factors. Despite the perception that healthcare is behind other industries when it comes to cyber defense, healthcare organizations averaged a security score of 88.

“Security ratings in our sample were higher than expected,” SecurityScorecard researchers acknowledged. “Possible reasons for this variance include: our sample of large, publicly traded companies, which often have better security; and the majority of Pharmaceuticals & Biotechnology companies in our sample.”

More than 60 percent of analyzed companies came from the pharmaceuticals and biotechnology sector, while care providers accounted for 14% of analyzed companies. However, even the analyzed care providers achieved average scores of 89.

Despite healthy scores across the board, researchers identified several key problem areas that healthcare organizations struggle with. Application security and endpoint security were top risk areas. Almost half of the companies in the sample had their lowest scores in the area of application security.

Common application security issues included the use of HTTP in redirect chains and the use of weak SSL/TLS encryption protocols.

Meanwhile, endpoint security was the weakest score area for just 9% of organizations, but issues with endpoint security have the potential to have a significant negative impact on the organization.

SecurityScorecard stressed the prevalence of third-party cyber risk in the healthcare sector, noting that these risks can originate from a variety of sources, such as vulnerable software or vendors who have access to sensitive data.

“Other sources of third-party risk for healthcare organizations include: specialized third-party platforms or other technology designed specifically for the healthcare industry; the outsourcing of non-clinical functions, such as administration and finance-related functions, to third-party vendors; and the delegation of specialized clinical tasks, such as lab tests and diagnostic imaging, to third-party care providers,” the report stated.

Researchers noted that simply keeping track of the volume of third-party relationships within one healthcare organization is a challenge but is crucial to reducing risk. What’s more, the researchers recommended that care providers educate patients on how these third parties interact with their data.

Other key points identified in the report included the growing threat of ransomware as well as a higher risk of breaches for medical device and equipment companies. Specific risk areas varied across healthcare sub-sector. But the overall security posture of the healthcare sector, as shown in the report, underscored the importance of avoiding single points of failure in an industry with a multitude of interconnected risk areas.  

“One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem,” said Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard.

“And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure.”