US healthcare operators vulnerable to cyber attacks

  • December 6, 2021
  • Steve Rogerson

Around 90% of web applications used by US healthcare operators are highly susceptible to attack or vulnerability exposure, according to cyber assessment company Outpost 24.

It analysed the top-ten American healthcare providers, as ranked by the 100 largest hospitals and health systems in the USA. The report revealed the majority of US healthcare providers (90%) had an external attack surface score of above 30 out of 58.4, which is categorised as critically exposed and indicates a high susceptibility for security and vulnerability exposure.

The scoring was conducted using Outpost 24’s external attack surface management tool to assess the security exposure of the healthcare providers’ internet-facing web services, which includes checking how many pages there are per application, if any outdated software components are used, and on what vulnerable third-party software it is running.

Further findings showed the top-ten US healthcare organisations run a total of 6069 web applications over 2197 domains, with three per cent deemed as suspicious. These could be open test environments that should ideally be closed, since they are essentially sitting ducks for attackers. Additionally, 24% of these applications were running on old components containing exploitable vulnerabilities.

Overall, US healthcare organisations had a larger attack surface with an average risk exposure score of 40.5 when compared to EU pharmaceutical organisations which had a score of 32.79. This is despite the US healthcare providers running 30% less external web applications compared with the top-ten EU pharma manufacturers which had 20,394 apps.

It is no secret that healthcare and pharmaceutical organisations have become highly valuable targets with vast volumes of vital patient information and intellectual property hosted on often outdated systems. Just this year, significant data breaches and ransomware attacks have impacted millions at US healthcare providers including the Florida Healthy Kids Corporation, Forefront Dermatology and Viverant Physical Therapy centre, which is exacerbating the challenge from a lack of security visibility and hygiene when combatting risk from the growing attack surface.

With such sensitive and personal data housed in these organisations, healthcare providers must take action to reduce the overall attack surface, said Outpost 24, especially to ensure compliance with Hipaa and the continuity of critical patience care.

“It’s paramount the healthcare organisations carry out the necessary due diligence to continuously evaluate their internet exposed security perimeter given the highly sensitive information stored,” said Nicolas Renard, security researcher at Outpost 24. “Any kind of data breach and downtime for healthcare organisations can be fatal, therefore they must take a proactive stance to identify and mitigate potential security issues before critical care can be impacted.”

Within the top US healthcare providers, 24% are running on old components containing known vulnerabilities. US healthcare providers run 6069 web applications over2197 domains, with three per cent considered to be suspect. Among the seven most targeted attack vectors in web applications, degree of distribution (82.60), page creation method (100) and active content (79) are the top-three attack vectors identified.

“For many organisations, there is a lack of awareness of how vast their external attack surface is, which is why having continuous visibility can highlight any weak spots and unknown assets that are susceptible to cyber attack,” said Stephane Konarkowski, security consultant at Outpost 24. “Healthcare providers have seen a significant increase in their digital footprint by moving online, however applications in use are often not tested and monitored on a regular basis for security exposure, leaving them open to vulnerabilities and the prying eyes of cyber criminals. With the rise in ransomware and cyber attacks during the pandemic, security hygiene must not be ignored in order to protect patients and maintain compliance for data and privacy regulations.”

Outpost 24 is a cyber assessment company focused on enabling its customers to achieve value from their evolving technology investments. By leveraging full stack security insights to reduce attack surface for any architecture, its customers can continuously improve their security posture with the least effort. More than 2000 customers in 40 countries use Outpost 24 to assess their devices, networks, applications, cloud and container environments and report compliance status for government, industry sector or internal regulations. Founded in 2001, Outpost 24 serves organisations across segments including financial and insurance, government, healthcare, retail, telecommunications, technology, and manufacturing.