Audit,
Governance & Risk Management,
Healthcare
Experts Highlight Common Security Shortcomings Across Healthcare Sector Entities
Federal auditors have uncovered security vulnerabilities in web-based applications associated with a major hospital in the Southeastern United States, raising concerns of a widespread cybersecurity risk across the healthcare sector.
The U.S. Department of Health and Human Services’ Office of Inspector General, in a recent report, highlights how misconfigurations within these applications could expose sensitive patient data to potential cyberattacks. The auditors aimed to determine whether the hospital had implemented effective cybersecurity measures to avert, detect, and manage cyber incidents, while also safeguarding the data of Medicare enrollees.
Despite existing cybersecurity controls, the findings revealed that critical gaps persist, particularly concerning internet-facing applications. One of the notable vulnerabilities identified was the absence of multifactor authentication. In a simulated phishing exercise, auditors successfully gained access to this application by capturing user credentials.
Furthermore, another web application was found lacking strong data input validations and was not protected by a web application firewall, leaving it susceptible to injection attacks and other forms of exploitation. Experts suggest that these vulnerabilities are not isolated to this particular hospital, as systemic challenges plague the entire healthcare sector. Issues such as complex IT environments, reliance on third-party systems, resource limitations, and the hasty adoption of new technologies, often without adequate security oversight, are driving these weaknesses.
In light of these findings, HHS OIG recommends that healthcare entities conduct comprehensive assessments of their internet-accessible systems for similar vulnerabilities. They emphasize the need for rigorous configuration and change management protocols, enhanced authentication measures including multifactor authentication, and the implementation of secure coding practices to ensure web application resilience against cyberthreats.
Experts also stress that the evolving landscape of critical data storage necessitates a shift in security strategies. Sensitive data is now frequently located in web-based Software as a Service (SaaS) applications, thereby requiring more sophisticated identity security measures to adequately protect these digital environments. The decentralized nature of data management and employee decisions concerning software adoption and integrations only amplify the risk of exploitation.
Addressing these security gaps at the “workforce edge” has become imperative, as employees’ choices regarding SaaS tools and data-sharing practices significantly influence the overall risk profile of organizations. The findings serve as a reminder that comprehensive visibility and control over this intricate network of applications and identities are critical to robust cybersecurity.
In reference to the MITRE ATT&CK framework, the identified vulnerabilities suggest potential tactics linked to initial access, persistence, and exploitation of vulnerabilities. As the healthcare sector continues to navigate these complex security challenges, a proactive and informed approach is essential in fortifying defenses against the ever-evolving threats of cyberattacks.