Healthcare's cybersecurity ills are well-known, and a new study of enterprise secure software development shows just how far that sector lags behind other industries.
The new Building Security in Maturity Model (BSIMM) study published today, BSIMM6, found healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to internal software security programs and practices. BSIMM6 studied more than 100 enterprises including 10 firms in healthcare. Six of those healthcare firms--Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health--agreed to be named as part of the study, which is headed up by software security firm Cigital Inc. with the help of NetSuite.
This was the first time healthcare has been measured in the BSIMM, which studies how organizations run their software security programs in-house and provides benchmark information that organizations can use to measure their program's maturity against those of other organizations. Among the areas BSIMM measures are governance (compliance and policy, metrics, training, for example); intelligence (attack models and intelligence, building and publishing of security features and design in software, for example); secure software development lifecycle (security feature review, automated tools, for example); and deployment (penetration testing, app input monitoring, and configuration and vulnerability management, for example).
Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.
"HIPAA isn't helping" healthcare security, says Gary McGraw, CTO at Cigital. "All it did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy."
Health Insurance Portability and Accountability Act compliance programs and auditors gave many healthcare organizations a false sense of their security, he says. "I think they thought they were covered by [HIPAA]."
McGraw says averaging all 78 firms' scores in BSIMM6 showed healthcare behind in all 12 software security practices. "That's the first time we've ever seen that in the BSIMM," he says.
It's been a tough year for healthcare organizations when it comes to security, starting with the massive breach of Anthem and other insurers, as well as that of UCLA Health. A recent study by Raytheon and Websense found that healthcare organization are two times more likely to be hit with a data breach than other verticals, and currently experience 3.4 times more security incidents. In another study by Trend Micro, nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks.
Meanwhile, more than 90% of technical people in the healthcare profession believe cyber criminals are targeting healthcare, but just 10% or less of their IT budget is earmarked for information security, according to a survey by Trustwave.
Even so, the fact that 10 large healthcare organizations opted to participate in BSIMM is the good news here: that means that at least 10 are working on their secure coding programs.
"I'm optimistic that ten companies are spending time understanding where they are … I applaud them for doing that," says Jim Routh, chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange, and chief information security officer at Aetna Global Security, which was one of the 10 healthcare firms to participate in BSIMM6. "That is good news from my perspective."
Routh says awareness and understanding of software security is increasing in healthcare, but remains "relatively low" compared to other BSIMM industry sectors.
Healthcare firms typically face a lack of security staff and resources amid a constantly evolving threat landscape, according to Routh. "They feel more constrained [in] the adoption of a program" for software security, he says.
"BSIMM is a great program that gives [you] a baseline. If healthcare companies like Aetna want to measure their [software] security against financial services and ISVs--which is exactly what we do," then they can do so with BSIMM, he says. Aetna's software security program is relatively mature, he notes.
But not all BSIMM activities make sense for all organizations. Routh points out that creating a bug bounty program isn't something he would do at his firm, for example. "In our business of healthcare, it makes no sense at all," he says. Aetna instead relies on penetration testing and security services from Synack, he says, rather than establishing a bug bounty program.
Other companies that were studied in BSIMM6 are Adobe, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, NetApp, NetSuite, Neustar, Nokia, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Sony Mobile, Symantec, The Home Depot, TheTrainline.com, TomTom, U.S. Bancorp, Vanguard, Visa, VMware, and Wells Fargo.
Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.