Today, Veracode released “The State of Web and Mobile Application Security in Healthcare,” made possible after Veracode, along with the Healthcare Information and Management Systems Society, surveyed 200 healthcare IT executives. The exploitation of vulnerabilities in apps was the greatest concern among those healthcare IT execs.
Veracode reported, “Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches.” Those three fears of what could happen due to a cyber attack are followed by fears associated with: “Costs of responding to breach; class-action lawsuits following a breach;” and “Loss of revenue due to downtime following a breach.” Unlike credit card information sold on the black market, “Criminals can make so much more money through identity theft and by extorting personal health information,” said Chris Wysopal, the CTO and CISO at Veracode.
“If you understand how the information can be used, then you quickly can understand how personal health information can be of a higher value than credit-card information to nation-state attackers. The value of medical information, the ramp-up in nation-state activity and complex bottoms up culture is creating a perfect storm of cyber threats targeting healthcare in 2016 and 2017.” The fear of cyber thugs exploiting vulnerabilities in the web, mobile, and cloud-based apps is more worrying to healthcare organizations than user error like employee negligence, malicious insiders, and phishing attacks.
As Lee Kim, the director of privacy and security at HIMSS, pointed out, “With all applications, there is the worry of the vulnerability being in the application itself,” she said.
“When the application was built, was it built with security in mind or was it an application that was designed quickly and security concerns were overlooked? Leaders need to ask – and get answers to these types of questions.” Although some people might not fully grasp the problem, the report states: Considering most applications are pieced together with open-sourced components and libraries, understanding the risks is essential.
The Heartbleed vulnerability, for example, should serve as a wake-up call for the importance of understanding how an application is built.
This 2014 vulnerability is still found in the commonly used open source cryptography library OpenSSL.
Any server or website using a vulnerable version of OpenSSL is at risk of having a variety of data exposed including private keys, usernames and passwords, session cookies and other sensitive data from users connecting to the service.
“The number of records stolen has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015,” the report said.
Veracode explained that “a single healthcare record brings nearly 10 times the value of a stolen credit-card number, combined with the competitive differentiation of intellectual property.” The report added, “Healthcare data is a lot more valuable than other types of data because it has all the components criminals need such as the patient’s mother’s maiden name, date of birth, billing information and diagnosis codes, among other sensitive data.” So “It’s no wonder healthcare providers are being attacked.” One thing insecure applications have accomplished is to increase healthcare’s fear of liability.
57% of those surveyed are increasing spending on external security assessments; 56% are adding liability clauses into contracts with commercial-software vendors in their supply chain; 54% are implanting frameworks like the SANS Institute Security Controls.