The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on the latest scan, coming in with a rate of just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.
However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.
Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyber attacks. In a press release, Moody’s Managing Director Derek Vadala said, “We view cyber risk as event risk that can have a material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”
Ensuring the Security of Patient Data
Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, New York-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).
That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.
Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.
Where Is the Gap in Modern Healthcare Supply Chain?
Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.
SOSS Vol. 9 shows that the financial industry while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on the latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.
In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.
Awareness Begets Progress
In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.
Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:
“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”
As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities because it will be demanded by the board in an effort to protect their brand and bottom line.