Getty Images/iStockphoto

Inadequate Healthcare Cybersecurity Maturity Jeopardizes Patient Privacy

CYE found that the healthcare cybersecurity maturity score lags behind other sectors, putting patient privacy and sensitive data at risk due to weak EHR systems, telemedicine, and other security vulnerabilities.

The healthcare sector ranks lowest in several cybersecurity maturity domains, according to CYE's first Cybersecurity Maturity Report, which suggests that even organizations that handle highly sensitive data need more awareness of patient privacy protection.

Based on data collected over two years from over 500 organizations in 15 countries, covering 11 industries and a range of company sizes, the report aimed to provide valuable insights into the level of cyber risk in critical infrastructure entities, including those within the healthcare sector.

Over the past few years, the number of cybersecurity solutions available on the market has increased significantly. Despite this, there has been a 38 percent increase in global cyberattacks, risking reputation and finances. Notably, healthcare was one of the three industries that faced the highest number of cyberattacks in 2022.

In terms of sectors, the energy and financial industries achieved the highest scores in terms of cyber maturity levels. In comparison, the healthcare, retail, and government sectors scored among the lowest.

Out of 11 industries, the healthcare sector had the second lowest score in identity management security.

In healthcare, patient data is protected through Identity and Access Management (IAM), allowing organizations to grant and deny user access rights and manage identity governance. Credentials are keys to all doors leading to PHI, ensuring only verified and authorized digital identities receive privileged access. Without these protections in place, the risks of cyber threats can increase.

Among all industries, including healthcare, the report found that 32 percent had a weak password policy and 23 percent had a weak authentication mechanism.

Network security is another crucial cyber maturity domain, guarding against data and network breaches. The domain encompasses access control, antivirus software, application security, network analytics, various network-related security types, firewalls, VPN encryption, and more.

Despite its importance, healthcare scored lowest in network security. The report found that among all industries, 28 percent had administrative and sensitive interfaces exposed to the internet, and 24 percent of respondents had outdated firewall rule bases.

Moreover, healthcare ranked the lowest in sensitive data and information management.

Sensitive data or personally identifiable information (PII) encompasses information that individuals or organizations want to keep confidential, such as Social Security numbers, passport numbers, driver's license numbers, addresses, email addresses, photos, biometric data, or any other data traceable to an individual.

This low ranking signals a serious need for more awareness surrounding patient privacy. Researchers stated that factors like weak EHR systems, telemedicine, and complex interrelationships among insurance companies, practitioners, specialists, and patients all reveal cybersecurity vulnerabilities.

The report also examined cybersecurity maturity on a larger scale. CYE researchers observed that the United States, despite investing heavily in cybersecurity spending, has one of the lowest levels of cybersecurity maturity.

On the other hand, Norway has the highest overall cyber maturity level, even though it only introduced its first national cybersecurity strategy in 2003. Given the US’s low scoring, researchers believe that a large financial investment only sometimes results in a high maturity level. This emphasizes that organizations can achieve greater maturity without a large cybersecurity budget if they plan and invest wisely.

While medium-sized organizations have the resources to invest in better cybersecurity measures, smaller organizations with a smaller attack surface can also manage successfully with a small security team.

However, very large organizations with a vast attack surface need help in defending themselves, which can lead to lower maturity levels. For example, a separate report highlighted that larger companies are more susceptible to cyberattacks, with 56 percent of respondents from companies with 100 or more employees admitting to being ransomware victims.

"CYE's cybersecurity report should serve as a wake-up call for both private and governmental organizations,” Reuven Aronashvili, founder and CEO at CYE, said in a press release. “While there are some excellent companies doing it right when it comes to cyber preparedness in the relevant industries and countries that we looked at, overall, the picture we get is still far from ideal,"

"The main takeaway from this research is that organizations can achieve a superior maturity posture even without a huge cybersecurity budget if they plan and spend it right.”

Next Steps

Dig Deeper on Cybersecurity strategies