HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Software Security Assessed by Veracode

The cloud offers healthcare providers the opportunity to streamline the provision and management of medical services. However, healthcare providers attempting to harness the power of the cloud could potentially be placing Protected Health Information (PHI) at risk.

HIPAA requires covered entities to safeguard PHI at all times, whether it takes the form of physical records or digital files. Any PHI stored or accessible via apps or other cloud applications must have security controls in place to protect the data. All cloud applications must therefore be subjected to a thorough risk assessment to identify potential security vulnerabilities, and any issues found must be addressed.

Many healthcare providers, and other HIPAA-covered entities, enlist the help of professionals when it comes to assessing mobile application security, with Veracode a market leader.

Over 200,000 Cloud Application Security Assessments Performed


Veracode assesses applications for security vulnerabilities that could potentially be exploited to gain access to patient data; or login credentials to gain access to healthcare computer networks. Over the years the company has gathered a considerable amount of data. That data has now been analyzed and compiled into a new State of Software Security Report.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The report gives CISOs, CIOs and Health IT professionals important insights into software security, allowing them to better understand the risks affecting their own organization’s cloud applications.

The report was compiled from data collected from 208,670 security assessments performed by the company over a period of 18-month period; during that time the company’s systems analyzed billions of lines of code.

Government Software Security Compared with 34 Other Industries


The previous volume of the report, produced in 2011, focused solely on the government sector, whereas the latest issue compares government software security with 34 other industries, including healthcare. These industries have been grouped into 7 vertical markets against which government security has been compared.

This year’s report offers remediation best practices and also looks at the results of applying risk reduction strategies; comparing the efforts different industries have made to address their mobile application security vulnerabilities.

Main Findings of the Security Report


Its bad news for the government sector, as many security enhancements are needed. There are still a considerable holes in its mobile application security defenses which will take some time to correct. According to the data, over 75% of government applications were failing the OWASP Top 10 when assessed for risk. The main problem has been identified as being over-reliance on outdated programming languages.

If security vulnerabilities are addressed there are considerable benefits. The manufacturing industry leads the way and has made many improvements and has addressed the most vulnerabilities of any industry, tackling 81% of the total number of vulnerabilities Veracode’s software detected. The government, which should, in theory at least, be addressing vulnerabilities faster than other sectors, is bottom of the list. It has addressed only 27% of detected vulnerabilities. Healthcare is second from bottom, with only 43% of software security vulnerabilities resolved.

The report details the major software security vulnerabilities affecting the healthcare industry, one of the industries with particularly risky software. The breakdown of risk for the healthcare industry was determined to be:

·         Code Quality

·         Cryptographic Issues 61%
·         Information Leakage 60%
·         CRLF Injection 48%
·         Cross-Site Scripting (XSS) 46%
·         Directory Traversal 45%
·         Insufficient Input Validation 43%
·         SQL Injection 32%
·         Credential Management 26%
·         Time and State 23%

Veracode’s researchers found there was a “higher institutional awareness of application security risk and a stronger emphasis’s on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes” in the financial and manufacturing sectors.

Healthcare Industry Fares Poorly


Veracode said in a recent media release, “Given the large amount of sensitive data collected by healthcare organizations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment.” With only 43% of vulnerabilities remediated, the industry is still particularly susceptible to attack.

The data analysis showed that almost three out of four third party software applications failed the OWASP Top 10 when initially assessed, which shows that significant data security risks are being introduced in the supply chain. Veracode also found that remediation coaching services can substantially lower application-layer risk.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.