Large hospitals often have thousands of workstations used by multiple employees to access confidential patient data, so securing them can be a major challenge.
Endpoint security specialist Duo Security has compared its customers in healthcare with those in other industries to determine how the sector differs in its security requirements.
Among the findings are that healthcare customers are logging into twice as many applications as the average user, widening the attack vector. Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again, putting them at greater risk of vulnerabilities and exploitation.
Healthcare customers are also more likely to choose Internet Explorer 11 as their preferred browser, compared to the latest version of Chrome favored by other users. Around 22 per cent of healthcare customers browse dangerously on unsupported versions of IE.
Windows is by far the most popular OS in healthcare organisations at 82 per cent. Ten per cent of healthcare customers are on Windows 10, while another three per cent run the now unsupported Windows XP.
“Keeping endpoints up-to-date with the latest versions of operating systems, browsers, plugins and more is no simple task for healthcare IT admins. Furthermore, they may use applications with dependencies on software versions commonly targeted by malicious hackers,” says Mike Hanley, Director of Duo Labs. “It only takes one outdated device for a hacker to exploit a known vulnerability, install malware, steal passwords and/or gain access to an entire healthcare system and databases of patient data”.
In order to keep their endpoints safe, Duo recommends that healthcare organisations keep their OS, browsers, Flash, Java and other software up to date, and apply patches as soon as they’re available from vendors. They need to enable good security controls, like strong, unique passwords; two-factor authentication; and access security policies to detect, warn, notify and block outdated devices.
They should also enable and require a minimum standard of security features on users’ devices, including encryption, screen locks, passcodes, Touch ID and more. It’s also important that they encrypt patient data while in transit, and in storage, and never transmit it over public networks.