The healthcare industry is a long way behind the financial sector in basic security practices, according to a study by two factor authentication firm Duo Security.
Duo found that healthcare devices were significantly more out of date and less secure than ones from finance, after comparing its healthcare customers' devices to its finance customers' equipment.
Healthcare has a four times greater density of Windows XP computers compared to finance. Windows XP has been unsupported by Microsoft since 2014 and unsupported OSes do not receive any software patches or updates, making them an easy target for attackers.
The risk is far from theoretical. For example, earlier this year Melbourne Health’s networks were infected with malware after an attack compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.
The Qbot malware linked to the infection is capable of stealing passwords and logging keystrokes.
A significant minority (three per cent) of Duo’s installed base is stuck on Windows XP, which compares to one per cent of users across Duo’s entire client base. Across that customer base, finance has 50 per cent more instances of computers running on the Windows 10 operating system than healthcare.
Finance has more instances of computers running on Windows 7 (74 per cent) than healthcare (66 per cent). Staying with older versions of Microsoft’s OS can have security downsides, even if the operating system is still supported.
With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws on the outdated OS to gain unauthorised access to a healthcare organisation’s computing environment, Duo warns.
Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again putting them at greater risk of vulnerabilities and exploitation.
Only 12 per cent of non-healthcare users have Java installed. compared to 36 percent in healthcare. Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java, factors which could account for the higher installed base. But this is bad news for security because Java browser plug-ins are a popular exploit route for hackers.
A separate study from IBM X-force earlier this week warned that crooks were increasingly targeting healthcare concerns rather than banks partly because systems were more weakly defended. Stolen healthcare info contains personal data that is readily marketed through underground forums because it offer the collateral to carry out identity fraud and other scams.
“Our recommendation is for healthcare to focus on basic security hygiene to protect their institutions from any of the ransomware attacks in the news lately, “ said Mike Hanley, director of Duo Labs. “As ransomware that we’re seeing in the news lately is just attackers monetising their actions, organisations really need to focus on closing those basic security issues to hackers.
“What these attackers are doing is nothing new, they’re finding the easiest ways into an organisation’s data and then exploiting it to make some fast (and big!) money,” he added. ®