Application Security Considerations for Healthcare
Q. How does healthcare, as an industry, compare for application security risk to other industries?
Based on the recent report “State of Software Security,” healthcare has the largest percentage of applications with poor cryptography and near the largest prevalence of information leakage. These data points are both problematic given the number of healthcare applications that deal with sensitive patient data. On average, our first scans of applications from companies in the healthcare industry return the lowest pass rate against a standard industry policy of application security. (We use a common benchmark of Web application vulnerabilities called the OWASP Top 10 to determine what passing is.)
Why does healthcare seem to be disproportionately the target of ransomware attacks, and what can be done about it?
To understand why somebody would attack healthcare organizations using ransomware as their strategy, you have to know what the motivation of the attacker is. Ransomware is typically not the weapon of choice for cyberattackers trying to make a political point (such as hacktivist groups like Anonymous). Rather, state-sponsored attacks tend to leverage advanced persistent threats to get lots of intellectual property out of an organization. Cyberattackers using ransomware are basically just looking to get money directly from their victims. These attacks typically start with an Internet scan for some sort of low-hanging vulnerability. When found, cyberattackers then use pre-made exploits to breach the system. These cyberattackers don't typically need to get a lot of money from each ransomware attack, because they’re conducting these attacks at scale. Healthcare is especially vulnerable to these attacks because of the poor security of the applications, the high sensitivity of the data, and the cost of the interruption in IT services to the business. Most hospitals or other healthcare organizations would rather pay a ransom than have patients die because critical hospital IT systems were unavailable.
There are no easy answers for what to do about ransomware. Healthcare needs to invest deeply in information security at every layer, especially the application layer, and include vendor-provided applications in their security planning.
Q. What are some obstacles preventing healthcare organizations from addressing application security?
The budget for security in the healthcare industry is lower on average than in any other industry as a share of the total budget. Also, there are lot of information and medical systems connected to the typical healthcare institution’s network that are essentially black boxes from the point of view of the IT department. They're provided by a vendor, and they have a very specific mission, but they're not necessarily built for IT manageability. In fact, we’ve heard about systems in clinical environments that can't even receive a network ping (a common connectivity test) because there's a problem in the network stack on the device and receiving a ping would actually knock the device offline and make it inoperative. That's a consequence of another structural factor in healthcare; in other industries, IT has a lot of input in the purchase process for information technology, and in healthcare a lot of information technology is purchased at the clinical level and, again, the priority is on the medical capabilities rather than security.
Q. What are practical things that healthcare organizations can do to start securing the software running in their organizations?
One thing that is relatively simple and under the control of a healthcare IT organization is to use automated security testing for internally built software, to try and identify and drive out the vulnerabilities that are being introduced during the development process. There are some very good options available to help development teams find vulnerabilities that are introduced before the developer even checks in the code. The second thing, which is harder, is to include security requirements in the medical software purchase process. These security features should be part of the contractual requirement of doing business with the hospital or healthcare organization, and should follow common practices from other industries. As an example, the financial services industry has a pretty robust set of recommendations for measuring the security of an application before purchasing it, and for measuring the security practices of vendors. We’re starting to see some larger healthcare institutions put similar practices in place in their software purchasing processes, and honestly I think that's something that would make a substantial difference. This doesn’t even have to be an elaborate security verification; for instance, organizations could use a simple questionnaire and then conduct third-party testing of applications they are purchasing.