HIPAA Not Helping: Healthcares Software Security Lagging

The latest Building Security in Maturity Model (BSIMM) study illustrates the long learning curve for secure coding initiatives.

Healthcares cybersecurity ills are well-known, and a new study of enterprise secure software development shows just how far that sector lags behind other industries.
The new Building Security in Maturity Model (BSIMM) study published today, BSIMM6, found healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to internal software security programs and practices. BSIMM6 studied more than 100 enterprises including 10 firms in healthcare. Six of those healthcare firms--Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health--agreed to be named as part of the study, which is headed up by software security firm Cigital Inc. with the help of NetSuite.
This was the first time healthcare has been measured in the BSIMM, which studies how organizations run their software security programs in-house and provides benchmark information that organizations can use to measure their programs maturity against those of other organizations. Among the areas BSIMM measures are governance (compliance and policy, metrics, training, for example); intelligence (attack models and intelligence, building and publishing of security features and design in software, for example); secure software development lifecycle (security feature review, automated tools, for example); and deployment (penetration testing, app input monitoring, and configuration and vulnerability management, for example).
Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.
HIPAA isnt helping healthcare security, says Gary McGraw, CTO at Cigital. All it did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy.
Health Insurance Portability and Accountability Act compliance programs and auditors gave many healthcare organizations a false sense of their security, he says. I think they thought they were covered by [HIPAA].
McGraw says averaging all 78 firms scores in BSIMM6 showed healthcare behind in all 12 software security practices. Thats the first time weve ever seen that in the BSIMM, he says.
Its been a tough year for healthcare organizations when it comes to security, starting with the
massive breach of Anthem
and
other insurers
, as well as that of
UCLA Health
.
A recent study
by Raytheon and Websense found that healthcare organization are two times more likely to be hit with a data breach than other verticals, and currently experience 3.4 times more security incidents. In another study by Trend Micro, nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks.
Meanwhile, more than 90% of technical people in the healthcare profession believe cyber criminals are targeting healthcare, but just 10% or less of their IT budget is earmarked for information security, according to a survey by Trustwave.
Even so, the fact that 10 large healthcare organizations opted to participate in BSIMM is the good news here: that means that at least 10 are working on their secure coding programs.
Im optimistic that ten companies are spending time understanding where they are … I applaud them for doing that, says Jim Routh, chairman of the NH-ISAC, the healthcare industrys threat information-sharing exchange, and chief information security officer at Aetna Global Security, which was one of the 10 healthcare firms to participate in BSIMM6. That is good news from my perspective.
Routh says awareness and understanding of software security is increasing in healthcare, but remains relatively low compared to other BSIMM industry sectors.
Healthcare firms typically face a lack of security staff and resources amid a constantly evolving threat landscape, according to Routh. They feel more constrained [in] the adoption of a program for software security, he says.
BSIMM is a great program that gives [you] a baseline. If healthcare companies like Aetna want to measure their [software] security against financial services and ISVs--which is exactly what we do, then they can do so with BSIMM, he says. Aetnas software security program is relatively mature, he notes.
But not all BSIMM activities make sense for all organizations. Routh points out that creating a bug bounty program isnt something he would do at his firm, for example. In our business of healthcare, it makes no sense at all, he says. Aetna instead relies on penetration testing and security services from Synack, he says, rather than establishing a bug bounty program.
Other companies that were studied in
BSIMM6
are Adobe, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, NetApp, NetSuite, Neustar, Nokia, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Sony Mobile, Symantec, The Home Depot, TheTrainline.com, TomTom, U.S. Bancorp, Vanguard, Visa, VMware, and Wells Fargo.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015.
Click here
for more information and to register.

Last News
▸ Google increases bug bounty rewards. ◂ Discovered: 26/12/2024 Category: security	▸ Microsoft and FBI shut down thousands of Citadel Botnets. ◂ Discovered: 26/12/2024 Category: security	▸ China accuses America of hacking them as well. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
HIPAA Not Helping: Healthcares Software Security Lagging