Report: Healthcare Industry Needs to Improve Application Security Practices | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Industry Needs to Improve Application Security Practices

October 18, 2016
by Heather Landi
| Reprints

The healthcare Industry significantly lags behind other industries when it comes to fixing security vulnerabilities and has the highest prevalence of cryptographic and credentials management issues, according to a security report by Veracode. Given the recent ransomware and other cyber attacks on healthcare organizations, the industry’s low performance on these application security benchmarks is troubling, the Veracode report states.

In its annual State of Software Security Report (SoSS), Veracode, a software security firm, presents metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months.

The report revealed that the continued and persistent use of components in software development is creating systemic risk in the country’s digital infrastructure. However, the report also found that companies achieve accelerated benefits when their application security programs reach maturity. These finding indicate that the growing trend of focusing on digital risk at the application layer and building security into DevOps processes (DevSecOps) can yield great results for organizations in reducing risk without slowing down software development.

One of the key findings of the report is that the prevalent use of open-source and third-party components is creating unmanaged risk. Approximately 97 percent of Java applications contained at least one component with a known vulnerability, according to the report authors.

“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” Brian Fitzgerald, CMO at Veracode, said in a statement. “Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.”

When looking at healthcare specifically, healthcare as an industry now has the lowest vulnerability fix rate, second-lowest OWASP (Open Web Application Security Project) pass rate and the highest prevalence of cryptographic and credentials management issues. The healthcare industry OWASP policy compliance pass rate is 33 percent, with government being the lowest at 25 percent.

According to the report authors, one of the most telling measures of the state of software security by industry is the vulnerability fix rate. When looking at fix rates by industry vertical, the healthcare industry ranks last for its vulnerability fix rate, and it lags the top performer, manufacturing, by a two-to-one ratio when it comes to fixing critical cyber errors.

“Does the gap reflect an inability to appropriately address vulnerabilities once they’ve been found, or does it point to some other structural constraint that holds healthcare back?” the report authors asked.

The research also highlights the challenges that still exist in software development more broadly. For example, 60 percent of applications failed basic security requirements upon first scan, which means fewer than four out of 10 applications pass security policy requirements on initial assessment. “The fact that this number fundamentally doesn’t change year over year indicates that there’s a lot of software out there that has still not been brought through a formal security improvement process—whether unremediated legacy code or new code that’s not developed via a rigorous secure software development lifecycle (SDLC),” the report authors wrote.

The report found that when companies follow best practices and implement programs with consistent policies and practices for secure development, they are able to remediate vulnerabilities at a higher rate. The study showed that the top quartile of companies fix almost 70 percent more vulnerabilities than the average organization. Additionally, best practices like remediation coaching and eLearning can improve vulnerability fix rates by as much as six-times.

According to the report, giving software developers more power improves security as developers using sandbox technology to scan apps prior to assurance testing show a significant improvement in fix rates.

Additionally, training matters, the report authors wrote, as best practices like remediation coaching and eLearning can improve vulnerability fix rates by as much as six times over.

 

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

CMS Exploring Potential Behavioral Health Payment and Care Delivery Model

The Center for Medicare & Medicaid Services (CMS) plans to hold a one-day summit in September to solicit feedback and ideas for a potential behavioral health model to improve access, quality and cost of care for beneficiaries with behavioral health conditions.

MEDITECH to Soon Offer CommonWell Health Alliance Services to Customers

MEDITECH, a Westwood, Mass.-based electronic health record (EHR) vendor, has announced that it is set to offer CommonWell interoperability services early next year.

HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

HITRUST has announced that HITRUST cybersecurity framework (CSF) version 9 enhancements now extend an “assess once, report many” approach as a standard security framework for multiple critical infrastructure industries and includes National Institute of Standards and Technology (NIST) Cybersecurity certification.

Premier: Analytics Helping Hospitals Optimize Blood Use

An analysis of 645 hospitals revealed that comparative data analytics to drive performance improvement has the potential to optimize blood use across numerous diagnoses.

Almost 80 Percent of Clinicians Still Use Hospital-Issued Pagers

A study examining the communication technologies used by hospital-based clinicians found that close to 80 percent (79.8 percent) of clinicians continue to use hospital-provided pagers and 49 percent of those clinicians report they receive patient care-related messages most commonly by pager.

Survey: IT Expenses per Physician Continue to Rise to Nearly $19,000

Information technology (IT) expenses for physician practices are on a slow and steady rise for most practices, and last year, physician-owned practices spent between nearly $2,000 to $4,000 more per FTE physician on IT operating expenses than they did the prior year, according to a recent Medical Group Management Association (MGMA) survey.