Healthcare Software Security Assessed by BSIMM Study

Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health have all been assessed as part of the latest Building Security in Maturity Model (BSIMM) study, published yesterday, with healthcare software security discovered to be well behind other industry sectors.

This is the first time that healthcare firms have been assessed by the study, which looks at 12 different software security practices. The study assesses enterprise software security development, which for the healthcare industry is severely lagging behind other industries in all 12 of the software security practices tested. This is the first time in the history of the study that one industry has performed so consistently poorly, and has come bottom of the list in all of the security practices tested.

The main industries assessed as part of the study were healthcare, the financial services, consumer electronics organizations and independent software companies, as well as a smaller number of organizations from the insurance, retail and telecoms industries.

The results of the BSIMM study give organizations an insight into how they, and others, are conducting their in-house software security programs. The study does not provide a guide on how those programs need to be run, instead it serves as a benchmark which can be used to measure progress and compare security efforts.

The study assessed 12 software security practices across four domains:

  • Governance
    • Strategy & Metrics
    • Compliance & Policy
    • Training
  • Intelligence
    • Attack Models
    • Security Features & Design
    • Standards & Requirements
  • SSDL Touchpoints
    • Architecture Analysis
    • Code Review
    • Security Testing
  • Deployment
    • Penetration Testing
    • Software Environment
    • Configuration Management & Vulnerability Management

Governance is concerned with the organization, management and measurement of software security initiatives. Intelligence covers threat modelling, security guidance and the collection of corporate knowledge used in assessing software security initiatives. SSDL Touchpoints is concerned with analysis and assurance of software development, while Deployment covers the practices that interact with network security, software configuration and other issues that have a direct impact on software security.

The study, conducted with assistance from leading software security firm, Cigital Inc., determined that healthcare software security has fallen behind that of other industries. This has been attributed to limited resources and a lack of investment in software security.

Gary McGraw, CTO at Cigital, believes the Health Insurance Portability and Accountability Act (HIPAA) is partly to blame for the poor performance of the healthcare industry. Yesterday, when the results of the study were published, he said, “All [HIPAA] did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy.”

The study tested 78 organizations, including 10 healthcare companies, of which 6 agreed to be named. These firms are taking great strides to improve software security and should be commended for taking part in the survey, and agreeing to have their names published. It shows that they are prepared to take a good look at where they stand in relation to other organizations in other industries, to gain a better insight into how they compare, and to discover which areas require greater work and investment to raise standards.

The BSIMM6 study can be downloaded here

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.