At the same time, these technologies present an array of new challenges, specifically around security.
With data breach headlines and regulatory enforcement actions looming, it is imperative that organizations include application security within their overall IT defense programs. Traditionally, healthcare organizations have had limited security resources, which has led to a heavy reliance on vendors or testing and validation tools. These do not adequately address the threats targeting web applications.
And the potential for a significant hack continues to climb despite efforts to keep network perimeters protected. Hackers are looking for the easiest way to penetrate the network. And they know one entry point is through a Web application that simply has not been properly coded.
If this doesn’t have you shaking in your, boots maybe this will: The average total cost of a data breach increased 15 percent in the last year to $3.5 million, according to a Ponemon institute report sponsored by IBM
Much like network perimeter security, effectively mitigating application security issues requires a holistic approach that addresses education, process and quality assurance.
Here are some three steps to take:
First, develop and implement policies, procedures and standards that specifically outline the expectations of custom coding. These administrative items achieve several goals: They unify the development platform, clearly define expectations of coders -- whether they are internal or outsourced -- and they give the organization a benchmark against which to measure success.
Second, train and educate developers who write the code in order to initially address application security vulnerabilities. Typically, application developers do not have extensive knowledge in networking or security because they are not taught these subjects in college or on the job. Instead they generally interact with networking or security technologies through the use of application programming interface (API) calls and libraries. The root cause of application security can be adequately addressed by training and educating developers on the proper use of the common APIs and libraries and teaching them how to avoid coding application vulnerabilities into applications. Once trained and educated, developers more often than not embrace this knowledge and incorporate these secure practices into everything they code.
Finally, tie the developed code to a quality control and assurance process in order to mitigate application security vulnerabilities. Quality control and assurance should minimally be applied to all custom coded applications that interact with the Internet and all critical custom applications that are internal to the organization. A large part of the quality control process should be a complete application security code review and scan. This process subjects the code to analysis and review for well-known vulnerabilities, unused code and malicious code while paying close attention to the Open Web Application Security Project’s top 10 application security vulnerabilities.
Application security code reviews and scanning is a practice that few organizations can afford to do without. A portion of all remaining code should be subjected to the quality control and assurance process on a random basis to provide tracking measures for compliance with established policies, procedures and standards. As with any testing and validation activity, using standardization can increase the efficacy and efficiency of code reviews and scanning.
Healthcare organizations can significantly affect the overall posture of their web applications by following the same process traditionally used to address their network perimeter. They can encourage developers to embrace additional security training while also setting a benchmark to measure their organization’s performance.
Once these holistic processes are integrated and operational, the general risks associated with custom coded applications can be more effectively managed.