Zivaro joins Trace3 and is now Zivaro, a Trace3 Company!
Combined businesses promise to deliver greater value for clients, create new opportunities for employees, and improve value within the partner ecosystem.
Webinar Insights
Transcript
Sarah Sample Rife (Chief Strategy Officer, Zivaro):
Welcome, everyone. It’s great to have you join us today with Zivaro and Security Scorecard. My name is Sarah Sample Rife, and I am the Chief Strategy Officer for Zivaro. We are a systems integrator that provides licensing for various resale products and also operates as a managed services and managed security organization. Today, we have Matthew Anselin from Security Scorecard with us. He’s a Principal Solutions Architect, and we find great value in this partnership. Matthew, I’ll turn it over to you.
Matthew Anselin (Principal Solutions Architect, Security Scorecard):
Thank you, Sarah. Today, I’m presenting data and insights into the healthcare industry, specifically from a technical and security review standpoint. I used a sample set for this analysis that included healthcare providers, suppliers, information management systems, and equipment providers. This gives a broad look at the healthcare industry’s security landscape.
For those unfamiliar with Security Scorecard, I’ll briefly explain our work. We started by highlighting vendors’ and third parties’ security posture and hygiene, addressing the challenges of monitoring external partners handling sensitive data. Given the reliance on cloud and SaaS solutions today, many companies don’t hold data internally but depend on third parties.
We continuously monitor third-party security, examining essential practices like keeping certificates current and not exposing databases to the Internet. All our data is collected from a public-facing, outside-in perspective—no internal sensors are deployed in companies. We distill our findings into a scorecard, graded A through F, which provides a straightforward assessment of cybersecurity risks, making it accessible for both technical and non-technical audiences.
Matthew Anselin:
For this presentation, I analyzed data from 890 healthcare companies. Sixty companies experienced a breach within the last 12 months, and 26 were third-party breaches—where the vulnerability originated outside the company’s systems. This underscores why third-party risk management has become so critical.
One unique capability we offer is zero-day monitoring. For instance, 49 of the 890 companies use the “MoveIt” software, identified by a unique hash value in its favicon. Without deploying internal sensors, we detect vulnerabilities like this in public data.
We also have a global sinkhole network to detect real-time threats. Recently, two healthcare organizations exhibited signs of active exploitation attempts. Furthermore, 408 entities were found with known exploited vulnerabilities, indicating a need for improved vulnerability management. However, this figure has decreased from over 600 in a similar analysis conducted in August, suggesting improvements across the industry.
Matthew Anselin:
The healthcare industry has shown progress in addressing vulnerabilities. For example, none of the companies analyzed currently show exposure to the vulnerable Log4J version—down from 11 companies in August. This reflects tightening security practices in healthcare.
Looking at score drops, only four entities had a score drop of more than 10 points in the last 30 days, signaling a positive trend for the healthcare sector. Similarly, exposed databases have decreased, with 53 companies currently showing exposed databases, down from 75 in August. While industrial control systems (ICS) exposure remains, only eight of the 890 entities showed ICS exposures.
Matthew Anselin:
Ransomware remains a serious threat, especially in healthcare, where patient safety can be directly impacted. We monitor ransomware susceptibility, focusing on remote access vulnerabilities. From 40 susceptible entities in August, this has decreased to 12. However, 13 healthcare companies have recently appeared on hacker forums, indicating they may be ransomware victims.
Critical vulnerabilities continue challenging healthcare security. 368 entities showed critical-level vulnerabilities, down from over 500 in August. The presence of high-risk products, like Apache and NGINX, remains widespread, as 310 entities use products with a history of vulnerabilities.
Our sinkhole network identifies active malware infections, with 29 entities currently affected. This is down significantly from 93 in August, which is promising.
Matthew Anselin:
In reviewing historical breach data, 34% of my sample had at least one breach, dating back to 2001, with 43% of recent breaches involving third parties. The high value of healthcare data for cybercriminals makes this industry especially vulnerable to attacks.
To address vulnerabilities, we focus on zero-day risks and continuously monitor our clients’ vendors. Our Zero Days of Service provides proactive alerts for newly discovered threats, helping companies secure their vendors quickly and efficiently.
Sarah Sample Rife:
Matthew, you mentioned earlier that 2024 saw one of the most significant healthcare breaches in history involving Change Healthcare. This impacted supply chain, revenue, and medication management across multiple organizations. How could Security Scorecard have helped prevent such a breach?
Matthew Anselin:
Great question. When Change Healthcare’s breach occurred, we analyzed their security data and noted early warning signs, including active malware activity and exposure to remote access vulnerabilities. While we can’t directly prevent breaches, our data helps clients monitor their third parties. A proactive review of Change Healthcare’s security score might have raised concerns, allowing their partners to encourage remediation efforts.
Attendee:
How does Security Scorecard collect data, and how do you avoid false positives?
Matthew Anselin:
We don’t target individual companies but continuously collect data from every IP in the IPv4 internet. Our proprietary network of global listening posts and sinkholes provides farm-to-table cybersecurity data. We have various engines to monitor SPF records, open ports, and more, gathering data in a non-intrusive way. We never go beyond a TCP handshake to collect information.
Careful divining processes minimize false positives. For example, we deduce browser versions using public advertising data, not to market but to check for outdated browsers, which could indicate vulnerability. Our proprietary mapping system also aligns data with company digital footprints to avoid inaccuracies.
Sarah Sample Rife:
You also noted that third-party breaches are growing as more companies rely on external data hosting. Could you speak more on concentration risk?
Matthew Anselin:
Certainly, concentration risk is when a large percentage of an industry depends on a few vendors. For instance, over 40% of healthcare entities in my sample use vendors like Apache or Express Logic. This creates a potentially catastrophic risk if one major vendor suffers a breach, as seen in the SolarWinds attack. Monitoring these high-risk vendors is essential to mitigate broad impacts.
Sarah Sample Rife:
Thank you, Matthew, for a thorough and insightful presentation. Thank you all for joining. We’ll follow up soon with additional resources.
Matthew Anselin:
Thank you for having me, Sarah. It was a pleasure. Happy Halloween to everyone!
Copyright © 2024 Zivaro, A Trace3 Company. All Rights Reserved. Privacy Policy | Quality Policy | Acceptable Use Policy