IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Vast majority of US healthcare web apps vulnerable to attack

Report suggests patient data is at risk from poor security hygiene

A heartbeat monitor displayed inside an operating room

Nine in ten web applications used by US healthcare operators are highly susceptible to attack or vulnerability exposure, according to a new report.

The 2021 Web Application Security for Healthcare report, published by IT security firm Outpost24, found that most US healthcare providers (90%) had an external attack surface score of above 30 (out of 58.4). This score was categorized by the firm as ‘critically exposed’, indicating a high susceptibility for security and vulnerability exposure.

The report also found that US healthcare organizations had a larger attack surface with an average risk exposure score of 40.5 when compared to EU pharmaceutical organizations, which had a score of 32.79. 

This is despite US healthcare providers running 30% fewer external web applications compared to the top ten largest EU pharma manufacturers, which had 20,394 apps.

The top ten US healthcare organizations ran 6,069 web applications over 2,197 domains, with 3% of these regarded as suspicious. The report said these could be test environments that should be closed, since they are open to hackers. It was also found that 24% of these applications were running on old components containing exploitable vulnerabilities.

The report said that it was important that healthcare security teams get a handle on their application security to reduce the risk of ransomware and other malware from both known and unknown applications.

“With security resources feeling the strain and having a multitude of elements to manage including hybrid working from the pandemic, it's challenging to identify all web services on the Internet containing old components. We identified 19.5% of all US and EU applications analyzed use old components, increasing the security exposure from known vulnerabilities which has a knock-on effect on security hygiene,” the report’s authors said.

Although the report found that EU healthcare applications were more up to date than those run by US organizations, the number of live applications was 236% higher.

“This reveals the different weaknesses in their attack surface - with EU organizations having a much larger attack surface, possibly a result of shadow IT; and US organizations being more at risk of potential exploits from vulnerable software components,” the authors stated.

Related Resource

What to consider when choosing a next-generation firewall

How to choose a NGFW solution

Vector of an envelope with a padlock over it on a blue backgroundFree download

Nicolas Renard, a security researcher at Outpost24, said it was essential that healthcare organizations carry out the necessary due diligence to continuously evaluate their internet security perimeter given the highly sensitive information stored.

“Any kind of data breach and downtime for healthcare organizations can be fatal, therefore they must take a proactive stance to identify and mitigate potential security issues before critical care can be impacted,” he added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download


Why is the healthcare industry so vulnerable to ransomware?

Why is the healthcare industry so vulnerable to ransomware?

28 Feb 2022
Critical vulnerabilities in Philips EMR system could risk patient data
cyber security

Critical vulnerabilities in Philips EMR system could risk patient data

8 Nov 2021
Cambridge-1 and the future of medicine
big data

Cambridge-1 and the future of medicine

3 Nov 2021
NIH renews COVID research contract with Palantir

NIH renews COVID research contract with Palantir

4 Oct 2021

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022