Your medical records live in a database or file system on servers somewhere, on someone’s network, with someone’s security protecting them. A recent PBS article about cyber security in the healthcare industry reports that over 113 million medical records were compromised in 2015. Medical records, perhaps even more than financial data, are the epitome of sensitive, private data, yet the healthcare industry has reported breach after breach, with over a dozen separate breaches already logged in March of this year.
We scanned 10 leading businesses in the healthcare industry with our risk grader to see how they measured up on external security. Coming in on top were Healthcare.gov, the landing page for "Obamacare," at 808, with Kaiser Permanente close behind at 789. United Health Group came in last with a score of 266, nearly 100 below the next lowest site, Cigna who scored 361. This represents only a piece of their resiliency, but can often telegraph overall security practices. If a site’s score is low, it suggests that several standard security measures are probably not in place or may not be configured correctly. A high score means the site’s administrators have given thought to web security and are taking steps to keep your data as private as reasonably possible.
CVS is the second largest pharmacy chain in America and their site ranks in with an average score of 694. While thankfully not involving medical records, CVS suffered a major databreach in 2015 on their photo site. They have the basics: SSL and SPF, but lack any of the additional pieces such as strict transport security and secure cookies that would increase resiliency. But as we'll see, a score of 694 is actually quite good... comparatively.
UnitedHealth Group is one of the largest healthcare companies in America. It ranks 14th on the Forbes 500 and had a net income of almost six billion (with a B) in 2015. They also have the worst site of the group, scoring a very low 266, which we classify as "warning" status. Almost all of their deductions came from the website category, which scored only 95 out of 950. They don't have SSL. They don't have SPF. In fact, about all they can say is that they aren't on any blacklists, their domain won't expire for another 6 months and they have DMARC enabled for email, keeping their communications score above 600.
Walgreens is the number one pharmacy chain in America. Most people get their prescriptions from either here or CVS. They've had a few notable data breaches in years past, but their website security is still poor, lacking SSL. They do have SPF for email, but notice that their business score took a hit because of the CEO's 46% approval rating. This increases the likelihood of internal breaches, one of which Walgreens faced at the hands of a pharmacist. There is a lot Walgreens could do to improve security on their flagship site.
The Hospital Corporation of America is a major health services provider, operating 167 hospitals across America and the UK. They take a major hit without SSL, despite having very good communications practices. This might start sounding familiar, but HCA was part of the Velesco insider breach of 2014, among other smaller incidents. The cyber resiliency of health industry targets continues be a source of concern.
When it comes to data breaches in healthcare, Anthem is the first name that comes to mind, thanks to a data breach famous enough to have its own Wikipedia page. Almost 80 million records were put at risk in this breach. It shook the entire industry. Fortunately, Anthem's site has SSL and they use SPF for email, which means they're already head and shoulders above some of our previous companies. But, like CVS, they lack any of the additional protection that could further shore up their security.
Health Net, now owned by Centene, provides health insurance for nearly 6 million people. Back in 2011, they had a data breach of about 2 million patient records. Their score is interesting, because overall it is average-- 703. But their website actually scored higher at 830, because of their good SSL practices. What dropped them down was the communications score, caused by a lack of SPF, DMARC or any secure mechanism to verify email. Email is as important a security endpoint as the website; failure to secure it reduces a company's resiliency.
Behind the government run healthcare.gov, consortium Kaiser Permanente has the second best score of the group, with 789. Good SSL practices and a few additional tweaks bring their score up to the good range. That said, Kaiser has suffered 4 major data breaches since the 2000s, with the most recent in 2014. The external scan only sees those parts of an organization's resiliency that are outward facing. To get a full picture would require UpGuard's internal scan as well, combining those results with the external scan to produce the true CSTAR rating.
Cigna is another large healthcare provider with net income in the billions, yet like UnitedHealth Group, their security is quite poor, rating at 361 due to missing SSL and SPF configurations. These are perhaps two of the most basic security pieces available to internet-facing companies and cost very little to implement. Cigna recently rejected a $47 billion dollar bid by Anthem, in part because of their 2015 data breach, yet its own external resiliency rates 300 points lower than Anthem's.
Another Fortune 500 company, Community Health Systems is a major health services provider, operating almost 200 hospitals. They scored a 456, with their website itself getting a 181. CHS had a major data breach in 2014, when over 4 million records were compromised. Yet they still do not employ SSL on their website, a significant oversight.
The last site on our list, Healthcare.gov, the portal into the Affordable Care Act's online system, scores the highest of the bunch with an 808. Only a few cookie options and a lack of DMARC tarnish the score, everything else being done fairly well. Healthcare.gov is also a huge target, one steeped in political controversy, so it makes sense that it would be well-protected. That said, why is it that some companies with equally sensitive information and billions of dollars at stake wouldn't take the same precautions?
Out of Sight, Out of Mind
Hackers and other malicious actors can tell if a site has SSL or not, if a company has SPF records in DNS for email. How many executives can say the same for their own external online footprint, much less the total resiliency of their organization? UpGuard provides visibility--both externally and internally-- to ensure that an organization has the information they need to improve their security and weigh their risk. Given the overwhelming number of breach incidents in the healthcare sector, the risk for those companies grows daily.
Concerned about data breaches?
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >