Outpost24, an innovator in identifying and managing cybersecurity exposure, has announced results from its 2021 Web Application Security for Healthcare report, which analysed the top 10 American healthcare providers, as ranked by the 100 largest hospitals and health systems in the US. The report revealed the majority of US healthcare providers (90%) had an external attack surface score of above 30 (out of 58.4) – which is categorised as ‘critically exposed’ and indicates a high susceptibility for security and vulnerability exposure.
The scoring was conducted using Outpost24’s external attack surface management tool to assess the security exposure of the healthcare providers’ Internet-facing web services which includes checking how many pages there are per application, if any outdated software components are used and what vulnerable third-party software it is running on.
Further findings showed the top 10 US healthcare organisations run a total of 6,069 web applications over 2,197 domains with 3% deemed as ‘suspicious’ – these could be open test environments that should ideally be closed since they are essentially sitting ducks for attackers. Additionally, 24% of these applications were running on old components containing exploitable vulnerabilities.
“It’s paramount the healthcare organisations carry out the necessary due diligence to continuously evaluate their Internet exposed security perimeter given the highly sensitive information stored,” said Nicolas Renard, Security Researcher at Outpost24. “Any kind of data breach and downtime for healthcare organisations can be fatal, therefore they must take a proactive stance to identify and mitigate potential security issues before critical care can be impacted.”
Overall, US healthcare organisations had a larger attack surface with an average risk exposure score of 40.5 when compared to EU pharmaceutical organisations which had a score of 32.79. This is despite the US healthcare providers running 30% fewer external web applications compared to the top 10 EU pharma manufacturers which had 20,394 apps.
It is no secret that healthcare and pharmaceutical organisations have become highly valuable targets with vast volumes of vital patient information and intellectual property hosted on often outdated systems. Just this year alone, significant data breaches and ransomware attacks have impacted millions at US healthcare providers including the Florida Healthy Kids Corporation, Forefront Dermatology and Viverant Physical Therapy centre, which is exacerbating the challenge from a lack of security visibility and hygiene when combatting risk from the growing attack surface. With such sensitive and personal data housed in these organisations, healthcare providers must take action to reduce the overall attack surface, especially to ensure compliance with HIPAA and the continuity of critical patient care.
Click below to share this article