Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

10/19/2015
01:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

'HIPAA Not Helping': Healthcare's Software Security Lagging

The latest Building Security in Maturity Model (BSIMM) study illustrates the long learning curve for secure coding initiatives.

Healthcare's cybersecurity ills are well-known, and a new study of enterprise secure software development shows just how far that sector lags behind other industries.

The new Building Security in Maturity Model (BSIMM) study published today, BSIMM6, found healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to internal software security programs and practices. BSIMM6 studied more than 100 enterprises including 10 firms in healthcare. Six of those healthcare firms--Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health--agreed to be named as part of the study, which is headed up by software security firm Cigital Inc. with the help of NetSuite.

This was the first time healthcare has been measured in the BSIMM, which studies how organizations run their software security programs in-house and provides benchmark information that organizations can use to measure their program's maturity against those of other organizations. Among the areas BSIMM measures are governance (compliance and policy, metrics, training, for example); intelligence (attack models and intelligence, building and publishing of security features and design in software, for example); secure software development lifecycle (security feature review, automated tools, for example); and deployment (penetration testing, app input monitoring, and configuration and vulnerability management, for example).

Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.

"HIPAA isn't helping" healthcare security, says Gary McGraw, CTO at Cigital. "All it did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy."

Health Insurance Portability and Accountability Act compliance programs and auditors gave many healthcare organizations a false sense of their security, he says. "I think they thought they were covered by [HIPAA]."

McGraw says averaging all 78 firms' scores in BSIMM6 showed healthcare behind in all 12 software security practices. "That's the first time we've ever seen that in the BSIMM," he says.

It's been a tough year for healthcare organizations when it comes to security, starting with the massive breach of Anthem and other insurers, as well as that of UCLA Health. A recent study by Raytheon and Websense found that healthcare organization are two times more likely to be hit with a data breach than other verticals, and currently experience 3.4 times more security incidents. In another study by Trend Micro, nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks.

Meanwhile, more than 90% of technical people in the healthcare profession believe cyber criminals are targeting healthcare, but just 10% or less of their IT budget is earmarked for information security, according to a survey by Trustwave.

Even so, the fact that 10 large healthcare organizations opted to participate in BSIMM is the good news here: that means that at least 10 are working on their secure coding programs.

"I'm optimistic that ten companies are spending time understanding where they are … I applaud them for doing that," says Jim Routh, chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange, and chief information security officer at Aetna Global Security, which was one of the 10 healthcare firms to participate in BSIMM6. "That is good news from my perspective."

Routh says awareness and understanding of software security is increasing in healthcare, but remains "relatively low" compared to other BSIMM industry sectors.

Healthcare firms typically face a lack of security staff and resources amid a constantly evolving threat landscape, according to Routh. "They feel more constrained [in] the adoption of a program" for software security, he says.

"BSIMM is a great program that gives [you] a baseline. If healthcare companies like Aetna want to measure their [software] security against financial services and ISVs--which is exactly what we do," then they can do so with BSIMM, he says. Aetna's software security program is relatively mature, he notes.

But not all BSIMM activities make sense for all organizations. Routh points out that creating a bug bounty program isn't something he would do at his firm, for example. "In our business of healthcare, it makes no sense at all," he says. Aetna instead relies on penetration testing and security services from Synack, he says, rather than establishing a bug bounty program.

Other companies that were studied in BSIMM6 are Adobe, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure,  HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, NetApp, NetSuite, Neustar, Nokia, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Sony Mobile, Symantec, The Home Depot, TheTrainline.com, TomTom, U.S. Bancorp, Vanguard, Visa, VMware, and Wells Fargo.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
caseyjohnellis
100%
0%
caseyjohnellis,
User Rank: Apprentice
10/20/2015 | 7:21:00 PM
Bug bounties and healthcare
Jim Routh's comments are interesting given the Zephyr Health run a bug bounty program: https://www.youtube.com/watch?v=GbW777t1tTA
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
10/21/2015 | 9:17:58 PM
Re: Bug bounties and healthcare
According to BSIMM6 data, that is not the case.  Only 3 of 78 firms had a bug bounty system going when we measured them.

Download the data for yourself.
caseyjohnellis
50%
50%
caseyjohnellis,
User Rank: Apprentice
10/22/2015 | 11:52:31 PM
Re: Bug bounties and healthcare
"In our business of healthcare, it makes no sense at all"

Zephyr Health, one of the interviewed companies in BSIMM and a healthcare company, runs a bug bounty program... hence the comment about this statement being unusual

It clearly makes at least some sense, otherwise Cigital wouldn't have included such odd outlier in it's study.

Download the data for yourself ;)
kim1green
50%
50%
kim1green,
User Rank: Apprentice
10/23/2015 | 12:12:03 AM
Re: Bug bounties and healthcare
Let's look at the data in another way. One or two years ago the number of bug bounty programs was likely zero, indicating the number of implemented programs will continue to grow. I do know several current members are looking to implement private bug bounty programs. Acknowledging that it remains challenging to implement bug bounty programs in healthcare because companies are reluctant to expose public facing systems that contain PHI. However, healthcare security leaders also recognize that their companies have many other critical systems that do not contain PHI and are looking to implement private bug bounty programs for these systems. The majority of security leaders that I speak to do see crowdsourcing in their company's future.
jason.haddix
50%
50%
jason.haddix,
User Rank: Apprentice
10/23/2015 | 12:36:59 AM
RE Bug Bounty for Healthcare
Very peculiar... Aetna says no bug bounty yet Synack IS a crowdsourced security vendor, a bug bounty program. They use that terminology themselves when it benefits them. Google the Forbes Article called: Synack Crowdsourcing Bug Bounty

www.forbes.com/video/3775809296001 

BSIMM6 seems great but might need to do some due diligence on the definitions of some vendors and success. I know many healthcare companies succeeding using bug bounty programs. Their ROI is outstanding vs traditional security consulting.
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
10/23/2015 | 9:22:35 AM
Re: RE Bug Bounty for Healthcare
That does seem like a reasonable way to look at it.  FWIW, we only added bug bounty as an activity to the BSIMM in BSIMM-V (oct 2013) when it began to appear.  Remember, BSIMM only describes what is actually going on out there.  

 

In my view, the bug bounty hype these days is outstripping bug bounty reality on the ground.  But bug bounty systems are growing.

gem
Dan9126
50%
50%
Dan9126,
User Rank: Apprentice
3/12/2016 | 3:33:42 PM
Healthcare security
The problem seems to me not to be one of training, but of managerial well. Remediation of known vulnerabilities is frequently hampered by management fear that services will be interrupted, compounded by vendors who are completely unwilling to patch software current. Add to this woman and unwillingness to budget for an infrastructure that can keep these things safely managed and monitored, and you have our current train wreck.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...