CSTAR Report Reveals Extent of Healthcare Cybersecurity Crisis

New Research From UpGuard Offers the Most Comprehensive Assessment of Healthcare Companies' Cybersecurity Risk


MOUNTAIN VIEW, CA--(Marketwired - Oct 13, 2016) - UpGuard, the company behind CSTAR -- the only comprehensive and actionable cybersecurity preparedness score for enterprises -- released a report today that unveils the extent of the healthcare sector's cybersecurity crisis and provides fresh data on the risks facing companies in this industry.

The research, which evaluates the security postures of approximately 500 healthcare companies, is part of a larger report to be released at the end of the year that audits over 7,000 companies across other key sectors.

In recent years, healthcare data breaches have continuously made front page news. In 2015 alone, 113 million medical records were compromised. It's estimated that breaches could be costing the healthcare industry as much as $6.2 billion, according to a recent Ponemon report (sponsored by ID Experts.)

The report uses UpGuard's trusted and unique CSTAR score, a single measure of a company's cybersecurity risk indexed on a 0-950 scale, to evaluate healthcare companies across the industry -- from health insurers to pharmaceutical companies to hospitals -- and is packed full of never-before-published insights.

"We've reached a crucial moment in healthcare, while there's a collective push for digitizing medical information and processes, archaic security practices haven't caught up to tech advances," said Mike Baukes, co-CEO of UpGuard. "This urgent crisis has prompted us to compile the most comprehensive report available on the state of healthcare cybersecurity in order to demonstrate the scope of the problem and increase understanding of ways to tackle it."

Some of the report's key findings:

The average CSTAR score across all indexed organizations is 420, squarely in the "danger" zone.

Companies across all industries in the healthcare sector posted low CSTAR scores -- under 500 -- placing all in the warning range of scores. With an overall average score of 420, pretty abysmal on a scale of 0-950, these poor scores show the extent of the vulnerabilities in this sector.

[See Figure 1]

Companies aren't doing enough to protect themselves against phishing attacks.

Phishing, which involves the sending of malicious emails that appear to come from a legitimate source, is a common tactic used by hackers to steal data. There are free and easy-to-use mechanisms available that combat phishing by checking the validity of emails before they reach a human target, including Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). However, the CSTAR report found that more than one-third (35%) of companies still do not have SPF records established and only 7 percent have implemented DMARC.

Large and small companies tend to have better CSTAR scores than those that are mid-sized.

Data show that while the companies with the most income are the best protected in terms of cybersecurity, there is a dip in scores in the middle that rises again for those with the lowest income. This soft spot may indicate an explanation for the widespread targeting of mid-sized hospitals by hackers in the past year.

Wide spectrum of CSTAR scores among states.

The report shows that while most CSTAR ratings across the states are in a gradually ascending middle ground between 350-450, there are significant outliers. At either end of the spectrum, two states stand out: Utah and Maine score high at 597 and 613 respectively, while New Mexico and Delaware score 209 and 224. Delaware, the home of incorporation, is particularly worrying.

[See Figure 2]

Read more of the report's insights and download the report here.

About UpGuard
UpGuard is the company behind CSTAR, the world's only comprehensive and actionable cybersecurity preparedness score for enterprises. The score allows businesses to understand the risk of breaches and unplanned outages due to misconfigurations and software vulnerabilities. It also offers insurance carriers a new standard by which to effectively assess client risk and compliance profiles. Thousands of companies, including Rackspace, Ulta, Citrix, Amadeus, PGI and ADP, use UpGuard to validate infrastructure, continuously detect risks and procure cybersecurity insurance. UpGuard is headquartered in Mountain View, CA with offices in Portland, OR. To see how UpGuard works, or to get your CSTAR rating, visit www.upguard.com

Figure 1 Figure 2
Company ProfileUpGuardIndustry: Media Agencies