Healthcare Security Benchmarked for First Time
Healthcare is lagging behind other industries in the sophistication of internal software security programs and practices. What are the reasons behind the shortfalls?
When it comes to internal software security programs and practices, the healthcare industry is lagging behind their counterparts in the consumer electronics, financial services, and independent software vendor industries.
That’s the finding of a new Building Security in Maturity Model (BSIMM) study, a data-driven measurement tool for evaluating software security initiatives, which for the first time measured healthcare organizations. Data for the latest version of the BSIMM model was captured by application security firm Cigital, which also is a major sponsor of the initiative.
BSIMM evaluates how organizations run their in-house software security programs and provides benchmark information that organizations can use to assess their program’s maturity relative to other organizations.
Ten healthcare firms participated in the latest BSIMM study including six that agreed to be identified: Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health. Overall, healthcare organization scored lower than other industry groups in all 12 software security practices that were a part of the evaluation criteria.
“The data, following on the heels of the Anthem and UCLA Health data breaches, confirm underlying issues in healthcare software security practices,” concludes the BSIMM6 report, the sixth iteration of the model which reviews 78 organizations drawn from multiple industries.
Gary McGraw, Cigital’s chief technology officer and an author of the BSIMM6 report, says the fact that the 10 organizations participating in the study are “doing software security at all puts them head and shoulders above most other healthcare firms.”
However, McGraw blames HIPAA for the healthcare industry’s general shortcomings in the area of internal software security programs and practices. “HIPAA caused healthcare firms for the most part to over-focus on patient data privacy and not spend enough time thinking about security,” he argues. “If the only concern you have when you’re building a medical device that may be implanted in somebody’s body is whether it leaks patient data, you’re not going to concern yourself with whether it can be hacked to injure or kill them.”
Not surprisingly, in a separate recent study the healthcare industry accounted for more than 20 percent of data breaches in the first half of 2015—the highest percentage of any industry.
Also See: Health Data Most Vulnerable to Cyber Attacks
“The focus needs to be on thinking about software security while you’re designing and building your modern systems,” McGraw asserts. “These days almost everything involves software, from devices to patient record systems to big databases. The notion of building security in while you’re creating the software in the first place is what the BSIMM is about.”
He recommends that healthcare organizations use the BSIMM model to measure how well their vendors are creating the software. “You can’t just penetration test the piece of software and tell whether it’s secure. You need to ask how it was actually constructed.”
But, McGraw remains optimistic about the progress that the healthcare industry is making. “The good news is that healthcare can catch up quickly, and becoming a part of the BSIMM community is a great way to do that,” he says.
“The most interesting new vertical in BSIMM6 is healthcare, which is appreciably more nascent than the other three verticals,” concludes the report. “Simply put, healthcare firms are just getting started with software security. However, according to NH-ISAC (a healthcare industry security consortium), firms using BSIMM are further ahead than most of the other healthcare companies (many of which remain unaware of the need to address software security). Healthcare is likely to mature quickly now that software security has come into stark focus.”
That’s the finding of a new Building Security in Maturity Model (BSIMM) study, a data-driven measurement tool for evaluating software security initiatives, which for the first time measured healthcare organizations. Data for the latest version of the BSIMM model was captured by application security firm Cigital, which also is a major sponsor of the initiative.
BSIMM evaluates how organizations run their in-house software security programs and provides benchmark information that organizations can use to assess their program’s maturity relative to other organizations.
Ten healthcare firms participated in the latest BSIMM study including six that agreed to be identified: Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health. Overall, healthcare organization scored lower than other industry groups in all 12 software security practices that were a part of the evaluation criteria.
“The data, following on the heels of the Anthem and UCLA Health data breaches, confirm underlying issues in healthcare software security practices,” concludes the BSIMM6 report, the sixth iteration of the model which reviews 78 organizations drawn from multiple industries.
Gary McGraw, Cigital’s chief technology officer and an author of the BSIMM6 report, says the fact that the 10 organizations participating in the study are “doing software security at all puts them head and shoulders above most other healthcare firms.”
However, McGraw blames HIPAA for the healthcare industry’s general shortcomings in the area of internal software security programs and practices. “HIPAA caused healthcare firms for the most part to over-focus on patient data privacy and not spend enough time thinking about security,” he argues. “If the only concern you have when you’re building a medical device that may be implanted in somebody’s body is whether it leaks patient data, you’re not going to concern yourself with whether it can be hacked to injure or kill them.”
Not surprisingly, in a separate recent study the healthcare industry accounted for more than 20 percent of data breaches in the first half of 2015—the highest percentage of any industry.
Also See: Health Data Most Vulnerable to Cyber Attacks
“The focus needs to be on thinking about software security while you’re designing and building your modern systems,” McGraw asserts. “These days almost everything involves software, from devices to patient record systems to big databases. The notion of building security in while you’re creating the software in the first place is what the BSIMM is about.”
He recommends that healthcare organizations use the BSIMM model to measure how well their vendors are creating the software. “You can’t just penetration test the piece of software and tell whether it’s secure. You need to ask how it was actually constructed.”
But, McGraw remains optimistic about the progress that the healthcare industry is making. “The good news is that healthcare can catch up quickly, and becoming a part of the BSIMM community is a great way to do that,” he says.
“The most interesting new vertical in BSIMM6 is healthcare, which is appreciably more nascent than the other three verticals,” concludes the report. “Simply put, healthcare firms are just getting started with software security. However, according to NH-ISAC (a healthcare industry security consortium), firms using BSIMM are further ahead than most of the other healthcare companies (many of which remain unaware of the need to address software security). Healthcare is likely to mature quickly now that software security has come into stark focus.”
More for you
Loading data for hdm_tax_topic #better-outcomes...