Radware’s Web Application Security Report finds security flaws in the healthcare industry
What do healthcare institutions, insurance companies, hospitals, pharmaceuticals and manufacturers of medical equipment all have in common?
If you guessed room for improvement when it comes to protecting applications, you’re correct.
The data records these organizations keep are highly sensitive as they affect people’s lives and wellbeing. There are a variety of risks – it only takes one unauthorized access to modify a prescription or change the settings of a medical device. There is a growing trade of medical records over the dark web where their value exceeds the cost of a stolen credit card.
How can a hospital make sure its network does not go down when a DDoS attack emerges? How can a pharmaceutical company make sure its intellectual property remains uncompromised?
When applications interact and exchange data over APIs, how can the healthcare provider know these APIs are secure and cannot be manipulated to disrupt the service?
Radware’s latest research delves into the challenges and struggles of organizations in securing applications and services they use. It also give a deep view into the healthcare vertical in particular.
46% of healthcare organizations report having experienced a data security breach.
The most common vector they point at is brute force, as in many cases it doesn’t take more than that to initiate unauthorized access to data of individuals, not to mention can be an entry point to create a trusted connection with the organization’s network. Yet, many of them do see brute force (as well as web scraping) as relatively easier to mitigate, and their biggest concerns are in fact application-layer DDoS and encrypted attacks:
The broad scope of concerns is evidence to a notion of losing control among healthcare security officers, of which only 27% testify their ability to secure patient records is low to medium only. While 62% say their biggest fear is DDoS, only 30% of them argue they can protect well against it.
Data Protection and Compliance
It is quite an unfortunate picture as the industry deals with quality of life issues. Access to real-time data – like patient records, images and videos – requires both the security and availability of in-house, web, mobile, or cloud applications. Every day there is more data that is created and must be securely stored by these organizations. Their low level of confidence is a warning to all of us who overlook the importance of information security, especially when it gets to our own physical and mental conditions. For this reason, the healthcare sector must comply with a broad, highly specific set of governmental- and industry-led regulations and standards (e.g., HIPAA, GDPR, local regulations like the FDA guidelines in the U.S.) that control the collection, use, sharing and transmittal of sensitive personal and clinical information. However, this is another area where they express low confidence in GDPR readiness; only 29% believe their organization will be in compliance before the regulations take effect.
Protecting or Jeopardizing Investments?
Healthcare providers have made large CAPEX investments in sophisticated medical equipment. Due to their long lifecycle, many of these devices are connected to older systems, and downtime for upgrades and patching can cause serious delays to the delivery of medical services. The NHS in U.K. took a hard hit by the WannaCry ransomware campaign in May 2017 for this very reason.
Analysis of survey feedback paints a portrait of a sector ill at ease with the growing security demands being placed on their institutions. Nearly two-thirds of respondents have little to no confidence they could rapidly adopt security patches and updates without having an operational impact, while 70% said less than 50% of data loss incidents over the past 24 months were fully tracked and patched.
Is Automation the Answer?
The healthcare segment struggles to keep up with needed security strategies, technologies and resources that address the level of sophistication fueled by digitization. Trying to be ahead of the game, it makes sense that the healthcare sector would invest in skills, tools and solutions that protect their applications and environments. For better agility and efficiency, more and more healthcare organizations adopt the continuous delivery approach. Here too unfortunately, 70% do not fully integrate security into the process – and that is for in-house applications. The situation is worse in the cloud or mobile:
They also invest in integration but more integration has a cost – it requires more flexibility and in many cases at the expense of security. When ~50% of your applications undergo changes every month, it is hard to keep track, not to mention keep them secure.
APIs – The Reason APIs are not the Answer, Yet.
• Only 25% of respondents are fully aware of changes made to in-house applications and APIs within their software development environment.
• Less than 40% analyze API vulnerabilities prior to integration.
• 61% cannot track data shared with third-parties once it leaves the corporate network.
• 57% do not inspect data that is being transferred/returned via APIs.
Is Automation the Answer for the Threat Actor?
Beyond data protection and application vulnerabilities, many respondents see the growing threat from emerging technologies. Bots are becoming more dominant with 36% of network traffic in healthcare being bots. However, only 20% of respondents can identify with certainty whether the 36% are good or bad bots. Because there is more encrypted traffic in healthcare, there is a significant concern regarding encrypted (SSL/TLS) threats and attacks on the application layer. Of all attacks, 41% of respondents indicate that application layer DDoS attacks have occurred more frequently over the past 12 months. Other bot attacks against the applications can be brute force and web scraping, as we saw earlier.
Healthcare Security is Ill
Radware research painted a sad picture where healthcare organizations are not in shape to be able to win the battle against more sophisticated, targeted attacks. In this case, this isn’t just a matter of revenue loss or reputation loss, it can potentially result in loss of lives.