Analytics
10/19/2015
01:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

'HIPAA Not Helping': Healthcare's Software Security Lagging

The latest Building Security in Maturity Model (BSIMM) study illustrates the long learning curve for secure coding initiatives.

Healthcare's cybersecurity ills are well-known, and a new study of enterprise secure software development shows just how far that sector lags behind other industries.

The new Building Security in Maturity Model (BSIMM) study published today, BSIMM6, found healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to internal software security programs and practices. BSIMM6 studied more than 100 enterprises including 10 firms in healthcare. Six of those healthcare firms--Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health--agreed to be named as part of the study, which is headed up by software security firm Cigital Inc. with the help of NetSuite.

This was the first time healthcare has been measured in the BSIMM, which studies how organizations run their software security programs in-house and provides benchmark information that organizations can use to measure their program's maturity against those of other organizations. Among the areas BSIMM measures are governance (compliance and policy, metrics, training, for example); intelligence (attack models and intelligence, building and publishing of security features and design in software, for example); secure software development lifecycle (security feature review, automated tools, for example); and deployment (penetration testing, app input monitoring, and configuration and vulnerability management, for example).

Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.

"HIPAA isn't helping" healthcare security, says Gary McGraw, CTO at Cigital. "All it did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy."

Health Insurance Portability and Accountability Act compliance programs and auditors gave many healthcare organizations a false sense of their security, he says. "I think they thought they were covered by [HIPAA]."

McGraw says averaging all 78 firms' scores in BSIMM6 showed healthcare behind in all 12 software security practices. "That's the first time we've ever seen that in the BSIMM," he says.

It's been a tough year for healthcare organizations when it comes to security, starting with the massive breach of Anthem and other insurers, as well as that of UCLA Health. A recent study by Raytheon and Websense found that healthcare organization are two times more likely to be hit with a data breach than other verticals, and currently experience 3.4 times more security incidents. In another study by Trend Micro, nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks.

Meanwhile, more than 90% of technical people in the healthcare profession believe cyber criminals are targeting healthcare, but just 10% or less of their IT budget is earmarked for information security, according to a survey by Trustwave.

Even so, the fact that 10 large healthcare organizations opted to participate in BSIMM is the good news here: that means that at least 10 are working on their secure coding programs.

"I'm optimistic that ten companies are spending time understanding where they are … I applaud them for doing that," says Jim Routh, chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange, and chief information security officer at Aetna Global Security, which was one of the 10 healthcare firms to participate in BSIMM6. "That is good news from my perspective."

Routh says awareness and understanding of software security is increasing in healthcare, but remains "relatively low" compared to other BSIMM industry sectors.

Healthcare firms typically face a lack of security staff and resources amid a constantly evolving threat landscape, according to Routh. "They feel more constrained [in] the adoption of a program" for software security, he says.

"BSIMM is a great program that gives [you] a baseline. If healthcare companies like Aetna want to measure their [software] security against financial services and ISVs--which is exactly what we do," then they can do so with BSIMM, he says. Aetna's software security program is relatively mature, he notes.

But not all BSIMM activities make sense for all organizations. Routh points out that creating a bug bounty program isn't something he would do at his firm, for example. "In our business of healthcare, it makes no sense at all," he says. Aetna instead relies on penetration testing and security services from Synack, he says, rather than establishing a bug bounty program.

Other companies that were studied in BSIMM6 are Adobe, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure,  HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, NetApp, NetSuite, Neustar, Nokia, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Sony Mobile, Symantec, The Home Depot, TheTrainline.com, TomTom, U.S. Bancorp, Vanguard, Visa, VMware, and Wells Fargo.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dan9126
50%
50%
Dan9126,
User Rank: Apprentice
3/12/2016 | 3:33:42 PM
Healthcare security
The problem seems to me not to be one of training, but of managerial well. Remediation of known vulnerabilities is frequently hampered by management fear that services will be interrupted, compounded by vendors who are completely unwilling to patch software current. Add to this woman and unwillingness to budget for an infrastructure that can keep these things safely managed and monitored, and you have our current train wreck.
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Apprentice
10/23/2015 | 9:22:35 AM
Re: RE Bug Bounty for Healthcare
That does seem like a reasonable way to look at it.  FWIW, we only added bug bounty as an activity to the BSIMM in BSIMM-V (oct 2013) when it began to appear.  Remember, BSIMM only describes what is actually going on out there.  

 

In my view, the bug bounty hype these days is outstripping bug bounty reality on the ground.  But bug bounty systems are growing.

gem
jason.haddix
50%
50%
jason.haddix,
User Rank: Apprentice
10/23/2015 | 12:36:59 AM
RE Bug Bounty for Healthcare
Very peculiar... Aetna says no bug bounty yet Synack IS a crowdsourced security vendor, a bug bounty program. They use that terminology themselves when it benefits them. Google the Forbes Article called: Synack Crowdsourcing Bug Bounty

www.forbes.com/video/3775809296001 

BSIMM6 seems great but might need to do some due diligence on the definitions of some vendors and success. I know many healthcare companies succeeding using bug bounty programs. Their ROI is outstanding vs traditional security consulting.
kim1green
50%
50%
kim1green,
User Rank: Apprentice
10/23/2015 | 12:12:03 AM
Re: Bug bounties and healthcare
Let's look at the data in another way. One or two years ago the number of bug bounty programs was likely zero, indicating the number of implemented programs will continue to grow. I do know several current members are looking to implement private bug bounty programs. Acknowledging that it remains challenging to implement bug bounty programs in healthcare because companies are reluctant to expose public facing systems that contain PHI. However, healthcare security leaders also recognize that their companies have many other critical systems that do not contain PHI and are looking to implement private bug bounty programs for these systems. The majority of security leaders that I speak to do see crowdsourcing in their company's future.
caseyjohnellis
50%
50%
caseyjohnellis,
User Rank: Apprentice
10/22/2015 | 11:52:31 PM
Re: Bug bounties and healthcare
"In our business of healthcare, it makes no sense at all"

Zephyr Health, one of the interviewed companies in BSIMM and a healthcare company, runs a bug bounty program... hence the comment about this statement being unusual

It clearly makes at least some sense, otherwise Cigital wouldn't have included such odd outlier in it's study.

Download the data for yourself ;)
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Apprentice
10/21/2015 | 9:17:58 PM
Re: Bug bounties and healthcare
According to BSIMM6 data, that is not the case.  Only 3 of 78 firms had a bug bounty system going when we measured them.

Download the data for yourself.
caseyjohnellis
100%
0%
caseyjohnellis,
User Rank: Apprentice
10/20/2015 | 7:21:00 PM
Bug bounties and healthcare
Jim Routh's comments are interesting given the Zephyr Health run a bug bounty program: https://www.youtube.com/watch?v=GbW777t1tTA
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.