Irregular application testing: App security in healthcare
Nearly half (45%) of NHS trusts scan for application vulnerabilities just once a year, with less only 8% doing so on a daily basis, according to Veracode. This potentially leaves them with outdated software and at an increased risk of a cyberattack, potentially exposing patient data to the wrong hands.
The new findings were gleaned from a Freedom of Information (FoI) request submitted to 36 NHS trusts, with 27 responding. The responses also revealed 50% of health trusts also only scan web perimeter apps once-a-year as well, leaving patient data at risk of cyberattacks through legacy websites and third-party plugins.
There are some promising results, however, with the request also revealing that 12 percent of trusts scan web application perimeters daily, demonstrating a growing awareness of the role application security plays to safeguard sensitive patient data.
These findings coincide with the recent Veracode State of Software Security report, which revealed healthcare as an industry once again has the lowest vulnerability fix rate globally, with the second-lowest OWASP pass rate and the highest prevalence of cryptographic and credentials management issues.
The report presented metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months, revealing that 67% of healthcare applications failed OWASP policy compliance.
The below percentages detail the prevalence of high profile vulnerabilities within the global healthcare industry, based on first-time application scans:
- Cross-site: 45.4%
- SQL Injection: 28.4%
- Cryptographic credentials: 72.9%
- Scripting issues management: 47.7%
The NHS was also one of the worst performing sectors in terms of the number of data breaches reported to the ICO last year, contributing to 64% of the total figure in the April 2015-March 2016 period.
The Health Secretary Jeremy Hunt has also recently announced that data from approved health apps will now feed directly into personal health records, with the NHS website soon to allow patients to book appointments, access medical records and order prescriptions. Indeed, he has called for the NHS in England to be paperless by 2018.
“In light of recent ransomware and other cyberattacks on healthcare organisations, the industry’s low scores on these application security benchmarks is troubling,” said Paul Farrington, Manager, EMEA Solution Architects, Veracode.
“Our new research certainly raises fresh concerns regarding the safety of patient information here in the UK, as well as across the globe. There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers.
“The Information Commissioner’s Office has the authority to fine trusts up to £500,000 for data breaches, so there’s even more of a reason for trusts to ensure they’ve placed an emphasis on their cyber hygiene. With hospitals correctly demanding rigorous sterilisation of surgical instruments and cleanliness from staff to fight the risk of infections spreading, the same should be considered when assessing their digital cleanliness to defend against the growing – and changing – threat of cyberattackers.”