Health Care Industry Gets a B+ on Cybersecurity

Tue Jul 02 2024By KennedyKrieg

New SecurityScorecard threat research reveals that while the health care sector gets a “B+” security rating for the first half of 2024, it faces a critical vulnerability: supply chain cyber risk. The new report, “The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024,” examines historical breach data and security ratings to provide insights for health care organizations to stop supply chain breaches.

In the wake of the Change Healthcare ransomware attacks, SecurityScorecard STRIKE threat analysts investigated the most critical risks faced by the 500 largest U.S. health care companies.

Key findings included:

  • Health care industry gets a B+: The U.S. health care industry’s security ratings were better than expected, with an average score of 88. However, there is still room for improvement: Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.
  • Health care Industry leads in third-party breaches: 35% of third-party breaches in 2023 affected health care organizations, outpacing every other sector. The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.
  • Medical device organizations have a higher risk of compromise: Medical device and equipment companies scored 2-3 points lower than those of the overall health care sample. These organizations also had a 16% higher rate of reported breaches and compromised machines than those in other healthcare sectors.
  • AppSec is the biggest attack surface threat: Application security issues are among the most significant flaws in health care attack surfaces – 48% of organizations scoring the lowest in this category. The software supply chain gives an attacker access to source code, build processes, pipeline tools, or software updates to carry the attack downstream to the supplier’s customers, which often implicitly trust the vendor and its systems.
  • Breaches remain low despite rising threats: 5% of health care organizations experienced publicly reported breaches in the past year, and 6% had evidence of a compromised machine on their networks in the past 30 days. Ransomware remains a top threat to the industry, as reflected in the public reporting on these attacks.

Concentrated cyber risk

As a result of Change Healthcare costing some companies $1 million per day, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue.

“One single point of failure, like Change Healthcare which underpinned medical claims processing, can cripple the entire health care ecosystem. And history will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. Together, we must identify and address single points of failure,” Ryan Sherstobitoff, senior vice president of threat research and intelligence, said.


The research examines the security ratings and historical breach data of the 500 largest healthcare companies whose stock is publicly traded in the United States. See detailed methodology.

Additional resources

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Please review our Privacy Policy for more details.
I Agree