Vulnerabilities exist in most of the web applications used by leading healthcare providers in the United States, according to new research by cyber assessment company Outpost24.
In its new 2021 Web Application Security for Pharma and Healthcare report, the company shared the finding that 90% of the web applications used by the US healthcare operators are susceptible to cyber-attacks.
The report assessed the internet-exposed applications of the top 20 largest pharma and healthcare organizations in the European Union and in the US to identify common attack vectors and exploitable flaws.
Researchers found that 85% of the top 20 pharma and healthcare applications had an external attack surface score of 30 or above out of 58.24. Outpost24 classified such a score as ‘critically exposed,’ indicating a "high susceptibility for security and vulnerability exposure."
Healthcare organizations in the United States were found to be more at risk than their European counterparts. While US organizations had an average risk exposure score of 40.5, the score for healthcare organizations in the EU was 32.79.
A quarter of the web applications run by healthcare organizations in the US presented a cybersecurity risk. Out of a total 6069 web applications run over 2197 domains, 3% were considered as "suspect" by researchers and a further 23.74% were found to be running on vulnerable components.
Although EU healthcare organizations run almost four times as many web applications as those in the US, the percentage of apps deemed to be risky was lower in the EU than in the US.
Of the 20,394 web applications run by EU healthcare organizations over 9216 domains, 3.3% were considered to be suspect and 18.3% were running on vulnerable components.
The researchers found that the top three attack vectors identified across healthcare organizations in the EU and the US to be Degree of Distribution, Page Creation Method and Active Content.
Outpost24 security researcher Nicolas Renard said: “It’s paramount the healthcare organizations carry out the necessary due diligence to continuously evaluate their internet exposed security perimeter given the highly sensitive information stored."
He urged organizations to "take a proactive stance to identify and mitigate potential security issues before critical care can be impacted.”