U.S. healthcare sector leads third-party data breaches in 2023
NEW YORK, UNITED STATES — A recent study by supply chain cybersecurity firm SecurityScorecard revealed that 35% of third-party breaches in 2023 affected healthcare organizations, surpassing all other sectors.
The report, titled The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024, delves into the most critical risks faced by the 500 largest U.S. healthcare companies.
Industry receives B+ rating, but vulnerabilities persist
SecurityScorecard’s report stated that the healthcare sector received a B+ security rating for the first half of 2024.
Despite this commendable rating, the report underscores significant vulnerabilities, particularly in supply chain cyber risk.
The healthcare supplier ecosystem is a prime target for ransomware groups, which can infiltrate hundreds of organizations through a single vulnerability.
Medical device companies at higher risk
Medical device and equipment companies are particularly vulnerable, scoring 2-3 points lower than the overall healthcare sample. These organizations reported a 16% higher rate of breaches and compromised machines compared to other healthcare sectors.
Application security issues emerged as the most significant flaw in healthcare attack surfaces, with 48% of organizations scoring lowest in this category. The software supply chain provides attackers with access to critical components, potentially compromising customer systems.
Despite these challenges, the U.S. healthcare industry’s security ratings were better than expected, with an average score of 88.
However, organizations with a B rating are 2.9 times more likely to be victims of data breaches than those with an A rating.
Industry experts urge vigilance
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the importance of vigilance: “One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire healthcare ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk.”
The report underscores the need for healthcare organizations to scrutinize their data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue.
The United States government recently announced the upcoming launch of new regulations to strengthen cybersecurity across the healthcare sector. These regulations will initially target hospitals, requiring them to implement minimum cybersecurity standards based on performance goals outlined by the Department of Health and Human Services (HHS) in January.
They also unveiled a $50 million program dubbed the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE), which aims to develop cybersecurity tools to protect hospitals from damaging cyberattacks.
