Server configuration is the top healthcare software vulnerability, followed by information leakage and cryptographic issues, according to Veracode’s State of Software Security (SOSS) study.
Other top vulnerabilities for healthcare include faulty deployment considerations, cross-site scripting holes, credentials management issues, and code quality.
“The highly regulated healthcare industry got high marks in many of this year’s SOSS metrics,” the report noted.
Healthcare scored highest on percentage of applications passing the OWASP Top 10 guidelines, considered a measure of industry best practices for software security. A full 55.3 percent of healthcare apps passed the OWASP test, compared to 27.7 percent of applications for all industries, based on scans conducted by Veracode.
“Flaw persistence analysis shows that when looking at all found vulnerabilities, this industry is statistically closing the window on app risk more quickly than any other sector,” the report concluded.
The report offered four key takeaways for security professionals, app developers, and business executives from its analysis of software security across industries.
First, the faster organizations close software vulnerabilities, the less risk applications pose over time.
Second, organizations need to prioritize which software security flaws to fix first, given the sheer volume of open software flaws. “While many organizations are doing a good job prioritizing by flaw severity, data this year shows that they’re not effectively considering other risk factors such as the criticality of the application or exploitability of flaws,” the report noted.
Third, DevSecOps has a positive effect on software security. The more often an organization scans software per year, the faster security fixes are made. “The frequent, incremental changes brought forth by DevSecOps makes it possible for these teams to fix flaws lightning fast compared to the traditional dev team,” it noted.
Fourth, organizations are still struggling with vulnerable open source components in their software. “As organizations tackle bug-ridden components, they should consider not just the open flaws within libraries and frameworks, but also how those components are being used,” the report observed.
A major software security concern for healthcare organizations is securing application programming interfaces (APIs). The June 2018 HIMSS Healthcare and Cross-sector Cybersecurity Report warned that hackers will be exploiting APIs more to gain access to healthcare organizations and stealing sensitive data.
API attack vectors include man in the middle attacks, session cookie tampering, and distributed denial of service (DDoS) attacks, the report noted.
To address the risks that unsecured APIs pose for healthcare, the American Hospital Association (AHA) recommended that stakeholders in the mobile healthcare environment develop a secure app ecosystem for sharing health data.
“To ensure a robust, secure set of tools for individuals to engage with hospitals and health systems via apps, stakeholders will need to work together to build an app ecosystem that is based on a rigorous and continuous vetting process that takes into account evolving risks. This could be done in the public sector, through certification, or through a public-private partnership,” AHA said.
AHA cited the example of the Payment Card Industry Data Security Standard (PCI DSS), which is an industry-developed standard that includes security requirements companies must adhere to if they want to process credit and debit cards.
The federal government should also develop a consumer education program to make it clear that commercial providers of health apps may not be subject to the HIPAA Privacy Rule, according to the association.
“Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a hospital’s information system to an app, it likely no longer will be protected by HIPAA,” said AHA.
“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” the association noted.