JUL 22, 2014 8:57am ET

3 Ways to Secure Healthcare’s Biggest IT Vulnerabilities

Print
Reprints
Email

Electronic health records, related Web applications and patient portals are transformational programs supporting clinical excellence, improving efficiencies and slowing the rising cost of care. Few healthcare IT initiatives are likely to be as transformative.  

At the same time, these technologies present an array of new challenges, specifically around security.

With data breach headlines and regulatory enforcement actions looming, it is imperative that organizations include application security within their overall IT defense programs. Traditionally, healthcare organizations have had limited security resources, which has led to a heavy reliance on vendors or testing and validation tools. These do not adequately address the threats targeting web applications.

And the potential for a significant hack continues to climb despite efforts to keep network perimeters protected. Hackers are looking for the easiest way to penetrate the network. And they know one entry point is through a Web application that simply has not been properly coded. 

If this doesn’t have you shaking in your, boots maybe this will: The average total cost of a data breach increased 15 percent in the last year to $3.5 million, according to a Ponemon institute report sponsored by IBM

Much like network perimeter security, effectively mitigating application security issues requires a holistic approach that addresses education, process and quality assurance.

Here are some three steps to take:

First, develop and implement policies, procedures and standards that specifically outline the expectations of custom coding.  These administrative items achieve several goals: They unify the development platform, clearly define expectations of coders -- whether they are internal or outsourced -- and they give the organization a benchmark against which to measure success.

Second, train and educate developers who write the code in order to initially address application security vulnerabilities. Typically, application developers do not have extensive knowledge in networking or security because they are not taught these subjects in college or on the job.  Instead they generally interact with networking or security technologies through the use of application programming interface (API) calls and libraries.  The root cause of application security can be adequately addressed by training and educating developers on the proper use of the common APIs and libraries and teaching them how to avoid coding application vulnerabilities into applications. Once trained and educated, developers more often than not embrace this knowledge and incorporate these secure practices into everything they code.

Finally, tie the developed code to a quality control and assurance process in order to mitigate application security vulnerabilities.  Quality control and assurance should minimally be applied to all custom coded applications that interact with the Internet and all critical custom applications that are internal to the organization. A large part of the quality control process should be a complete application security code review and scan.  This process subjects the code to analysis and review for well-known vulnerabilities, unused code and malicious code while paying close attention to the Open Web Application Security Project’s top 10 application security vulnerabilities.

Application security code reviews and scanning is a practice that few organizations can afford to do without. A portion of all remaining code should be subjected to the quality control and assurance process on a random basis to provide tracking measures for compliance with established policies, procedures and standards.  As with any testing and validation activity, using standardization can increase the efficacy and efficiency of code reviews and scanning.

Healthcare organizations can significantly affect the overall posture of their web applications by following the same process traditionally used to address their network perimeter. They can encourage developers to embrace additional security training while also setting a benchmark to measure their organization’s performance.  

Once these holistic processes are integrated and operational, the general risks associated with custom coded applications can be more effectively managed.

Comments (2)
Good advice, hackers frequently steal important data and misuse them which harms customers trust in an organization. A security requirements analysis should be an integral part of the business plan to check these threats alongside conducting regular security audits. Just read a whitepaper it offers useful information on the common security concerns for businesses and ways to mitigate them readers will find it interesting @ http://bit.ly/1c0f35M
Posted by williamson b | Wednesday, July 23 2014 at 9:30AM ET
This is a well-written article and driver for industry. I hope that Congress, Chief Innovation Officers, CTOs and CIOs, Chief Data Officers, industry and the Federal procurement process will be promoting the importance of security as a transformative mechanism for "supporting clinical excellence, improving efficiencies and slowing the rising cost of care". As our Federal government plans for current and future initiatives, it is important to recognize and mitigate the following security risks:
- For those Large Federal Health Programs (focused on security and integration)
o Security, Interoperability and conformance testing should be built into the entire software development lifecycle (agile)
o The importance of true independent (3rd party) testing
- For Health Systems and other Organizations
o Compliant Product (Vendors who prove their security and interoperability requirements)
o Proven Technical Stacks (challenges)

In our experience, we recognize a number of technical as well as organizational roadblocks to the successful exchange of information and its security.
- Here are some stories that stand out to us the most:
o Lack of an agile acquisition process/methodology
- Differentiated approach to the "validation of information or software through the use of automated tools and/or testing of the deliverables before they are purchased by the government
- Ensuring that the vendor (Systems Integrators) has the capabilities to bring the full solution (pre-test before they buy the solution)
o Upwards of 7 Layers (challenges) to Security & Interoperability
o CIO control over their extended-IT Domain

How to ensure Security & Interoperability:
- Support Test Driven Development (TDD)
- Put the testing tools into the hands of the Developers during the development life cycle, do not test at the end it's "Too Late"
- Testing should begin as soon as development
- Security and Functional (Conformance) Testing alone will not ensure Interoperability with External Partners
- Focus towards testing Specifications, and ensuring forwards and backwards compatibility
- Secure Gateway-to-Gateway communications

Focus on the importance of security, testing for interoperability and standards conformance in the electronic exchange of information. Stakeholders have the opportunity to mobilize the vendor community to participate in the building and testing of transformative healthcare IT initiatives while promoting innovation in government. Some proposed strategies to consider the success of Security, Interoperability and Innovation in Government should include:
- Support Automated Platform for Test Case Execution
- Document Best Practices for Audits and Work Flow Lifecycle of Testing
- Support an Environment for Re-Use of Testing Tools/Test Cases
- Promotion Beyond "Happy Path Testing (peer-to-peer), ensure Negative Testing"
- Promote Industry Reporting Metrics on how well their products and services ensure security & interoperability and not vendor lock-in.

I'm happy to discuss further if you feel a conversation would better convey my message. Thank you.

Barry Dickman
AEGIS.net, Inc.
Senior Consultant
barry.dickman@aegis.net
Posted by BID1919 | Thursday, July 24 2014 at 3:58PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Brian Evans

Initial Steps for a Disaster Recovery Program
Have You Assessed Your Incident Response Program Lately?
3 Ways to Secure Healthcare’s Biggest IT Vulnerabilities
Building A Security-Aware Culture
Overcoming Vulnerability Management Challenges

More from Brian Evans »

Blog Index »

loading time...
Sponsored by

Stay Connected

Twitter
Facebook
LinkedIn

Physicians often have a rocky relationship with information technology.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.