The State of Web and Mobile
Application Security in Healthcare
HIMSS Analytics study sheds light on where the
industry stands, where it needs to go
Given the widespread adoption of electronic health record (EHR) systems and health IT generally, healthcare organizations now are faced with the daunting challenge of securing these systems to keep patients safe, data secure and systems running efficiently.
The problem: The detailed data in EHRs and other applications is a hot commodity, making organizations particularly vulnerable to cyberattacks. In fact, the number of breaches has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015, according to the U.S. Department of Health and Human Services. Recent “mega breaches” have resulted in 78.8 million records being exposed at one health organization, 11 million at another and 4.5 million at a third.1 This flurry of breaches can be
attributed to the poor state of cybersecurity across the healthcare industry brought about by the rapidly expanding IT footprint, a bottoms-up culture where centralized security policies are difficult to enforce and the impact of
a significant skills gap.
These problems are compounded by the fact that healthcare data has become highly sought after by cybercriminals. The black-market value of information contained in healthcare records is significant: an individual healthcare record brings up to $50, 10 times as much as a stolen credit-card number.2 Healthcare data is a lot more
valuable than other types of data because it has all the components criminals need such as the patient’s mother’s maiden name, date of birth, billing information and diagnosis codes, among other sensitive data. Unlike simple credit-card data, criminals can use stolen healthcare data for a
wide variety of activities, including committing insurance fraud, purchasing medical equipment and obtaining controlled substances.
Donald Good, deputy assistant director of the Federal Bureau of Investigation’s cyber division, recently told an audience at the HIMSS Connected Health Conference in Washington, D.C., that healthcare data contains a “treasure trove” of information for cybercriminals. “For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today. It’s not a question of whether or not you’ve been compromised. You will be compromised at some point,” said Good, who called the current cyberthreat environment the “most dynamic and complex that we have ever seen.”3
Two-thirds of the provider organizations that participated in the 2015 HIMSS Cybersecurity Survey reported that they have experienced a security incident. What’s troubling is the fact that most healthcare leaders seem surprised by how sophisticated and persistent cybercriminals can be. “I don’t think anyone was prepared for the level of cyber threats we’re seeing,” said Lisa Gallagher, vice president of technology solutions for HIMSS. “What we saw in the most recent attacks made a lot of us rethink how secure our systems are.”4 The impact on healthcare providers is plain
as we’ve seen massive breaches that have led to a drop in provider credit ratings by leading firm Moody’s.5
What’s even more disconcerting is the fact that security matters in healthcare might get worse before they get better, according to Chris Wysopal, CTO and CISO of Veracode. “The value of medical information, ramp-up
“The value of medical information, ramp-up in nation-state activity and
complex bottoms-up culture is creating a perfect storm of cyberthreats
targeting healthcare in 2016 and 2017.”
in nation-state activity and complex bottoms-up culture is creating a perfect storm of cyberthreats targeting healthcare in 2016 and 2017,” he said.
With such threats looming, healthcare organizations need to up their security game. A new HIMSS survey, conducted on behalf of Veracode, of more than 200 healthcare IT executives working at provider organizations across the country reveals valuable insight into the state of application security in healthcare today. Results from The State of Web and Mobile Application Security in Healthcare specifically shed light on:
• Where organizations are in relation to application security • The challenges that they face as they develop and
implement application-security strategies
• Their plans regarding investments in application-security technologies and training
• Projected strategies related to the policies and programs needed to enforce web- and mobile-application security
Fear of Application Vulnerabilities being
Exploited is #1 Concern
Not surprisingly, one of the top worries of healthcare organizations is how easily cyberattackers can exploit vulnerabilities in web, mobile and cloud-based applications. In fact, this worry ranked highest, over employee
negligence/malicious insiders and phishing attacks on employees (see Figure 1).
Data from actual code-level analysis of billions of lines of code conducted by Veracode shows that 80 percent of healthcare applications exhibit cryptographic issues such
as weak algorithms upon initial assessment. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning. In addition, healthcare fares worse than the vast majority of other industries when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated. The impact of such breaches weighs heavily on the minds of healthcare leaders as well, as survey respondents cited loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top three security-related fears (see Figure 2).
Understanding the nature of security threats is the first step in creating an effective defense. According to The State of Web and Mobile Application Security in Healthcare, healthcare organizations’ most pressing threat motivators lie in identity theft/medical insurance fraud and theft of personal health information by nation states for espionage and/or extortion purposes.
1 Loss of life due to compromised networks or medical devices (pacemaker, drug pump, etc.)
2 Brand damage due to theft of sensitive patient information
3 Regulatory enforcement (HIPAA, PCI, etc.)
4 Costs of responding to breach (forensics, cleanup, credit reporting, etc.)
5 Class-action lawsuits following a breach
“If you understand how the information can be used, then you quickly can understand how personal health information can be of a higher value than credit-card information to nation-state attackers,” Wysopal pointed out. “Credit-card information is not worth much on the black market. Criminals can make so much more money through identity theft and by extorting personal health information.” Understanding how hackers gain access to data also is key to developing a solid defense. To start, leaders need to become cognizant of the risks associated with applications. Lee Kim, JD, director of privacy and security at HIMSS, pointed out. “With all applications, there is the worry of the vulnerability being in the application itself,” she said. “When the application was built, was it built with security in mind or was it an application that was designed quickly and security concerns were overlooked? Leaders need to ask – and get answers to these types of questions.”
Considering most applications are pieced together with open-sourced components and libraries, understanding the risks is essential. The Heartbleed vulnerability, for example, should serve as a wake-up call for the importance of understanding how an application is built. This 2014 vulnerability is still found in the commonly used open-source cryptography library OpenSSL. Any server or web site using a vulnerable version of OpenSSL is at risk of having a variety of data exposed including private keys, usernames and passwords, session cookies and other sensitive data from users connecting to the service.
Healthcare Providers are Scared of Liability
Liability over a breach is top of mind for healthcare providers and much activity is being planned to address their exposure should a breach occur. To meet liability requirements, 57 percent of survey respondents say they are increasing spending on external security assessments, such as code audits. Another 56 percent are inserting
liability clauses into contracts with commercial-software vendors to lessen the risk of exposure from their software supply chain. And more than half are implementing standard frameworks such as SANS Institute Security Controls as a means to create a baseline security posture from which future improvements can be benchmarked (see Figure 3). “In general, we are seeing an uptick in liability lawsuits where people are harmed from a breach – either financially, reputational or physically,” Wysopal said. “These suits are popping up in a variety of industries.”
The most recent example is that of Wyndham Worldwide. For those unfamiliar with the case, the FTC alleged that the global hotel chain had violated Section 5 of the FTC Act by failing to employ reasonable data-security measures, including the use of vulnerable out-of-date software,6
which in turn led to a breach involving sensitive customer information. According to the complaint, these failures resulted in more than $10 million of fraudulent charges on consumers’ credit and debit cards, as well as the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia. Wyndham Worldwide argued these claims by challenging the FTC’s authority to regulate companies’ data security standards. In December
“With all applications, there is the worry of the vulnerability being in the
application itself. When the application was built, was it built with security
in mind or was it an application that was designed quickly and security
concerns were overlooked?”
2015, the courts ruled with the FTC, opening the door for further enforcement of such standards in other industries.7
While the healthcare space is accustomed to legal action surrounding malpractice, liability tied to poor IT security is new and the challenge will be implementing systems that allow for “due care” to be followed in avoiding a breach.
Action Needed Toward ‘Due Care’
To ensure security, healthcare organizations need to invest in web- and mobile-application security initiatives. According to the HIMSS/Veracode survey results, 80 percent of the survey respondents do not have policies regarding the use of automated for governing controls to governing open-source components in applications.
As healthcare organizations move toward using applications from third-party developers, they need to ensure that these applications properly protect data. Auditing applications, however, is a labor-intensive endeavor. The commonly used practice of manual penetration testing requires highly skilled professionals to spend days if not weeks looking for code vulnerabilities that could be exploited in the software. That’s why 67 percent of organizations are turning to automated assessment of code, which is used to discover potential vulnerabilities, according to the HIMSS/Veracode survey results.
When organizations build software applications, they need to make sure that security is a top concern. “The people building the software are typically competent engineers who are building high-quality, high-performance software. However, unless they have received training in web- and mobile-application security, they are probably unaware that applications should be written in a certain way to eliminate vulnerability. All developers should receive training in web- and mobile-application security, no matter what language they are developing in,” Wysopal said.
What’s more, as healthcare professionals now use all kinds of mobile technologies, leaders need to pay close attention to the security of data touched by mobile applications. Encryption is used most frequently to secure data on mobile devices, as it is currently leveraged by 81 percent of organizations. In addition, some trailblazing organizations are taking their precautions a step further by tapping into a variety of best practices such as the use of mobile-device management solutions (69 percent), participation in application blacklisting and/or whitelisting based on security/privacy ratings (39 percent) and the prohibition of personal devices from connecting to hospital networks (29 percent).
Wysopal suggests that organizations also test medical devices and hold vendors accountable for security gaps. Many medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients. In August of 2015, the FDA and Department of Homeland Security issued a statement that “strongly encouraged” healthcare facilities to discontinue the use of Hospira’s Symbiq infusion pump over software vulnerabilities that that could potentially put patients’ lives at risk.7
“You might think ‘why would someone want to break into grandma’s infusion pump?’” Wysopal posed. “The Internet of Things is particularly an issue in the healthcare space where so many connected devices exist and offer criminals a pathway to collect data for use as ransom or – more likely – through which they can access the facility’s network the device connects to.”
Push to Address Bottoms-Up Cultural
One of the biggest challenges healthcare organizations face is addressing the fact that most of the power is held by the doctors themselves, rather than in a centralized manner.
“All developers should receive training in application security,
no matter what language they are developing in.”
Produced by | www.himssmedia.com | © 2016
Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.
Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.
Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
Copyright © 2006-2016 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
This bottoms-up culture means that it becomes very difficult for a CISO to implement consistent controls across all business units and departments, resulting in serious vulnerability issues for the organization.
Some healthcare organizations have already started to push to address this challenge by making security a top institutional priority, with 65 percent reporting investment in security technologies that enable governance policy enforcement; 51 percent investing in training initiatives to educate department heads about cybersecurity; and 44 percent pushing the CEO to be an advocate for central IT-security policy across all departments (see Figure 4). Despite the progress made, significant hurdles remain. What’s most disconcerting, perhaps, is the fact that many organizational leaders have not yet upped their security investments. According to the survey respondents, the lack of budget and attention from senior management is the top challenge that organizations face when addressing web- and mobile-application security.
“Until there are big breaches and something hits close to home, organizations typically stay away from making big investments in security. We have seen that in every industry. Healthcare is no exception. With a number of big breaches being reported in 2015, however, we will probably now start
to see some changes,” Wysopal said.
As healthcare organizations move in this direction and face web- and mobile-application security risks head on, they will need to make the monetary and time investments required to arrive at an understanding of the risks that cyberattackers pose to their organization. Then they will need to take action by developing application-security policies, supporting security training and implementing application-security technologies that can protect all of the electronic data that they have worked so hard to amass in recent years on behalf of delivering high-quality, more-efficient care.