Healthcare gets poor rating for application security

The healthcare industry fares poorly compared to other industries in reducing application security risk, according to a report from application security vendor Veracode.

More than 200,000 application assessments from its customers over 18 months were analyzed using methods including static analysis, dynamic analysis or manual penetration testing.

"Given the large amount of sensitive data collected by healthcare organizations, it's concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment," the report states, referring to authentication protocols.

In addition, healthcare is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated. Government was the only sector studied that was doing worse.

The authors hypothesize that the financial services sector is doing better due to regulatory mandates and a bigger focus on continuous improvement processes. On the other hand, they say the lack of regulatory demands may contribute to the issues in healthcare.

The report points out there is no established level of acceptable security flaw density, or what remediation timeframe is adequate.

"The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk--not by installing more next-generation firewalls, but by remediating application-layer vulnerabilities to reduce enterprise risk," the report states.

Despite warnings from the Office of Civil Rights of a crackdown on HIPAA violations, research from ProPublica found few organizations have been fined for them. In addition, the second phase of the audit process has been a long time in getting off the ground.

In the first four months of 2015 alone, more than 99 million healthcare records were exposed through 93 separate attacks, according to the Workgroup for Electronic Data Interchange (WEDI). It recently released a cybersecurity primer that outlines how to mitigate attacks, detect them and respond effectively.

To learn more:
- read the report