Healthcare staff lack basic cyber security awareness

The consequences of a security breach in the healthcare sector can be severe, yet a new survey reveals that healthcare staff are among the most likely to fall victim to social engineering attacks.

The study from SecurityScorecard exposes vulnerabilities across 700 healthcare organizations including medical treatment facilities, health insurance agencies and healthcare manufacturing companies.

Among the findings are that over 75 percent of the entire healthcare industry has been infected with malware over the last year, with healthcare manufacturing reaching almost 90 percent malware infection rates.

Healthcare has the fifth highest count of ransomware among all industries and 96 percent of healthcare's ransomware targeted medical treatment centers. The industry ranks only ninth overall for security compared with other business sectors, and 15th out of 18 for vulnerability to social engineering.

"The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient," says Alex Heid, chief research officer at SecurityScorecard. "Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other Social Engineering attacks. For a hacker, it only takes one piece of information such as learning the email structure of an organization to exploit an employee into divulging sensitive information or providing an access point into that organization's network".

A further risk comes from the proliferation of (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their rapid delivery and implementation has resulted in under par security setups.

"As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network," adds Heid.

You can find out more about the findings in the full report which is available from the SecurityScorecard site.

Image credit: vision001/Shutterstock