Healthcare IT Infrastructure Remains Vulnerable

Despite the millions of patient digital health records that are breached every year, healthcare isn’t doing enough to shore up vulnerabilities.

A new study demonstrates just how large the problem remains. Bugcrowd, a crowdsourced security company located in San Francisco, recently released the latest version of its State of Healthcare Cybersecurity Report.

Bugcrowd, as a crowdsourcing security firm, receives “vulnerability submissions,” or reports from white hat hackers on potential flaws in systems. Between 2017 and 2018, Bugcrowd saw a 350% increase in vulnerability submissions, and there will likely be a steady increase this year as well.

“Healthcare has historically been slow to adopt new technologies due to the risk associated with changing how data is stored, transmitted, or processed,” says David Baker, CSO of Bugcrowd. “This is true even with security technology.”

Close to a third of the vulnerability submissions were considered critical submissions-ranked priority one (P1) or priority two (P2), while about 42% were P3.

Related: Telemedicine and E-Visits: An Update

“P3 vulnerabilities are considered to be medium severity,” says Baker. “Although they don’t typically infer protected health information (PHI) disclosure, they relate to details of the apps themselves. As with any of these technologies, the risk of P3s are still important because they can be chained together, thus leading to new vulnerabilities with higher severity.”

Baker points to the market for submissions as signs that healthcare organizations are putting more resources into combatting the issue. “Healthcare organizations running crowdsourced security programs are increasing their security maturity and criticality levels, therefore increasing the market rate for vulnerabilities.”

In Q1 2019, the average payout for a P1 submission was almost $3,500. The overall average payout for all priority levels (P1-P4) was about $1,000. “Interestingly,” Baker says, “this is higher than the P1 and average payouts across all programs run through Bugcrowd.”

Overall, total payouts for Q1 2019 increased by over 30% in 2018.

“Healthcare security professionals must implement a more improved defense-in-depth security program that promotes better defense through a better offense,” Baker says. “This means that security professionals should implement a solution that enables 24x7x365 security assessment efforts against their assets. Crowdsourced security continues to uncover 10 times the security bugs than traditional security assessment methods.”