Healthcare and its associated medical-related industries may not be as much of a target for cybercriminals as banks and financial institutions – but they are not far behind. For attackers, the sector offers numerous entry points and potential access to not only financial information but also detailed personal information on consumers.
According to the web site HealthITSecurity.com, the number of patient health records compromised tripled worldwide from 2017 to 2018, reaching a total of 15 million records in more than 500 breach incidents. However, halfway through 2019, the 2018 record has already been sharply exceeded with more than 25 million records compromised.
Similar data comes from the most recent Verizon Data Breach Investigation Report, revealing that in 2018 the healthcare sector itself suffered 750 incidents, including 536 breaches that resulted in data disclosures. The Verizon researchers noted that it is the only industry vertical that has more employees and other insiders implicated in breaches than external attackers, which adds additional complexity to protection efforts.
Regardless of where attackers come from, for MedTech, SSL/TLS certificates are the indispensable heart of the Public Key Infrastructure (PKI) that helps keep data secure. Certificates play a crucial role in ensuring that MedTech organizations are able to confirm identities, they make it possible for online payments systems to function securely, and they support all other aspects of security. In short, digital certificates are crucial, making PKI management a top priority.
The top 50: overview for MedTech sector
We used Keyhub SSL certificate discovery tool to find out that among the top 50 companies involved in MedTech there are over 5,551 subdomains, and more than 557 certificates with nearly 10% expired. In researching the public domains of top 50 MedTech organizations, the results were as follows.
- 557 certificates were discovered
- 52 CAs
- 11 SHA1 certificates
- 3 with weak keys
- 54 SSL/TLS certificates expired
- 28 close to expiration certificates (within 30 days)
Overall, most MedTech organizations, approximately three-quarters in total, used only one host, while a substantial minority used between two and four. Only three used more than 50. While more than 92% of all of the keys discovered were RSA 2048, a healthy minority were the stronger RSA 4096 keys. Two examples of ECC 256 were also discovered. This is often seen as a viable alternative though concern has been expressed that it can be slower due to being more compute-intensive.
When it comes to the use of a signature hash algorithm, similarly there was great uniformity in use. Nearly all (97%) of the algorithms in use at MedTech organizations were SHA256RSA. Approximately 2% were SHA1RSA and approximately 1% were SHA512RSA. Therefore, Microsoft products no longer recognize SHA1 and its use can lead to security alerts. Of course, the strength of the hash algorithm used to sign a SSL/TLS certificate is vital. Weak hash algorithms can allow attackers to get fraudulent certificates.
Top ten sites
We further narrowed the focus to the top ten most visited sites where we found some 4,234 affiliated subdomains. Some of the findings included:
- 135 certificates discovered
- 12 CAs
- 8 SSL/TLS certificates were expired
Clearly, invalid SSL/TLS certificates are a concern at any time and in any industry, but with so much personal information, protected by so many regulations at risk in med tech, it is vital to get certificates right. Attackers know where data lives and are determined to gain access. Organizations in the MedTech sector should understand that improperly managed PKIs is their point of vulnerability.
While the “numbers” relating to SSL/TLS certificate management problems were not as immediately concerning as for some other industry sectors, MedTech is also held to a higher standard. As the Verizon Breach Report noted, healthcare-related organizations must adhere to a “much higher standard of scrutiny with regard to privacy and disclosure requirements than...most other verticals, due to regulations such as the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act,” act in the US.
Create your free Keyhub account to discover all SSL/TLS certificates in less than 5 minutes and evaluate the whole PKI health!