Dedicated to providing the latest
HIPAA compliance news

Healthcare Software Security Assessed by Veracode

Share this article on:

The cloud offers healthcare providers the opportunity to streamline the provision and management of medical services. However, healthcare providers attempting to harness the power of the cloud could potentially be placing Protected Health Information (PHI) at risk.

HIPAA requires covered entities to safeguard PHI at all times, whether it takes the form of physical records or digital files. Any PHI stored or accessible via apps or other cloud applications must have security controls in place to protect the data. All cloud applications must therefore be subjected to a thorough risk assessment to identify potential security vulnerabilities, and any issues found must be addressed.

Many healthcare providers, and other HIPAA-covered entities, enlist the help of professionals when it comes to assessing mobile application security, with Veracode a market leader.

Over 200,000 Cloud Application Security Assessments Performed

 

Veracode assesses applications for security vulnerabilities that could potentially be exploited to gain access to patient data; or login credentials to gain access to healthcare computer networks. Over the years the company has gathered a considerable amount of data. That data has now been analyzed and compiled into a new State of Software Security Report.

The report gives CISOs, CIOs and Health IT professionals important insights into software security, allowing them to better understand the risks affecting their own organization’s cloud applications.

The report was compiled from data collected from 208,670 security assessments performed by the company over a period of 18-month period; during that time the company’s systems analyzed billions of lines of code.

Government Software Security Compared with 34 Other Industries

 

The previous volume of the report, produced in 2011, focused solely on the government sector, whereas the latest issue compares government software security with 34 other industries, including healthcare. These industries have been grouped into 7 vertical markets against which government security has been compared.

This year’s report offers remediation best practices and also looks at the results of applying risk reduction strategies; comparing the efforts different industries have made to address their mobile application security vulnerabilities.

Main Findings of the Security Report

 

Its bad news for the government sector, as many security enhancements are needed. There are still a considerable holes in its mobile application security defenses which will take some time to correct. According to the data, over 75% of government applications were failing the OWASP Top 10 when assessed for risk. The main problem has been identified as being over-reliance on outdated programming languages.

If security vulnerabilities are addressed there are considerable benefits. The manufacturing industry leads the way and has made many improvements and has addressed the most vulnerabilities of any industry, tackling 81% of the total number of vulnerabilities Veracode’s software detected. The government, which should, in theory at least, be addressing vulnerabilities faster than other sectors, is bottom of the list. It has addressed only 27% of detected vulnerabilities. Healthcare is second from bottom, with only 43% of software security vulnerabilities resolved.

The report details the major software security vulnerabilities affecting the healthcare industry, one of the industries with particularly risky software. The breakdown of risk for the healthcare industry was determined to be:

·         Code Quality

80%
·         Cryptographic Issues 61%
·         Information Leakage 60%
·         CRLF Injection 48%
·         Cross-Site Scripting (XSS) 46%
·         Directory Traversal 45%
·         Insufficient Input Validation 43%
·         SQL Injection 32%
·         Credential Management 26%
·         Time and State 23%

Veracode’s researchers found there was a “higher institutional awareness of application security risk and a stronger emphasis’s on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes” in the financial and manufacturing sectors.

Healthcare Industry Fares Poorly

 

Veracode said in a recent media release, “Given the large amount of sensitive data collected by healthcare organizations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment.” With only 43% of vulnerabilities remediated, the industry is still particularly susceptible to attack.

The data analysis showed that almost three out of four third party software applications failed the OWASP Top 10 when initially assessed, which shows that significant data security risks are being introduced in the supply chain. Veracode also found that remediation coaching services can substantially lower application-layer risk.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On