Application security remains 'troubling' in healthcare

network security

A lot of software in use, particularly related to the healthcare industry, has not been through a formal security improvement process, according to a new analysis by application security vendor Veracode.

In its report, Veracode compared applications’ compliance with the Open Web Application Security Project (OWASP) and SANS Top 25 standards, which are built around slightly different sets of threats.

Examining compliance pass rates for first-time scans, only government (25 percent) fared worse than the healthcare industry (33 percent). The report notes, however, that every industry sector except financial services improved slightly from last year.

Overall, internally developed applications showed a slight uptick in improvement over time, while commercial software lost a bit of ground.

However, the analysis calls the healthcare vulnerability fix rate “troubling.” The top performer, manufacturing, outperforms healthcare, 2 to 1, on fixing vulnerabilities once they’ve been identified.

The top vulnerability cited across industries was data leakage, a problem found in 65.5 percent of healthcare apps. However, the report authors called attention to cryptographic (encryption) and credentials management issues in healthcare, as well.

They also noted a prevalence of vulnerabilities in JavaScript-based applications, a programming language that has been rapidly adopted in healthcare, retail, and financial services for server-side and mobile applications.