Healthcare agencies are no strangers to IT security risks. In August, Community Health Services (CHS) announced the theft of 4.5 million patient records due to a Heartbleed breach; now, companies are dealing with Shellshock, which exploits open-source Bash code to compromise appliances and network hardware such as medical devices. To combat these threats and maintain HIPAA compliance, many agencies have "hardened" traditional access points, making it more difficult for attackers to slip through. The rise of an app-enabled healthcare supply chain, however, is creating new breach points faster than IT professionals can keep up.
A New Framework
"You hear it all the time — you don't want to be the next CHS," says Mac McMillan of the HIMSS Privacy and Security Task Force. Interviewed in a recent Healthcare Dive article, McMillan argues it's time for an industry-wide security framework. In fact, it's long overdue: Health companies are rushing to partner with Big Data firms and healthcare wearables are now big business, making HIPAA compliance a challenge across the board. Consider the healthcare supply chain. From data to consumables to specialized hardware, every aspect of health supply comes in contact with an application. And according to Veracode's Senior Director of Product Management Tim Jarrett, the scale of supply software is massive. What's more, "66 percent of healthcare's application portfolio is open source or third party." This speaks to McMillan's call for standardization, but is security even possible at such large volume?
The Price of Safety
Jarrett notes that, historically, health companies haven't considered security of an application to be a critical buying criteria; instead, price and functionality dominate purchasing conversations. The result? Companies are dependent on expensive testing efforts — he remembers one spending $80,000 per application — and often get stuck in a kind of loop: They buy software, pay to have it tested, buy more software, then repeat. In other words, he says, "it's an awfully tangled supply chain in software."
HIPAA compliance also presents a challenge for the safety of supply chains. Unlike other standards such as PCI, HIPAA describes the end result but doesn't provide much in the way of prescriptive advice. For example, to be PCI compliant, companies must implement session timers that lock down after 15 minutes if terminals are unused. There's no equivalent detailed guidance in HIPAA, nor does it mention specific types of security issues that should be protected against. Instead, healthcare agencies must protect personally identifiable information (PII) and show the steps they've taken, but those steps are never mapped out. Jarrett advocates for an independent verification standard in healthcare that would clearly indicate success or failure.
A recent Veracode/IDG survey found that 60 percent of internally developed healthcare applications are not tested for vulnerabilities — and that's despite agencies spending more than $1.12 million per year on app security. Add in open-source and third-party apps, plus new threats like the Spike toolkit and Shellshock, and a big question comes up: Is there any way to deal with everything at once?
Jarrett says companies must "test as broadly as possible," with the understanding that security programs exist for all apps, all the time. What's more, it's not enough to do one test and be satisfied with a passing grade. Patches, upgrades and exploits change the security landscape; rigorous, programmatic testing is necessary to achieve a comprehensive view of the supply chain. Layering is also a critical component — application testing doesn't replace network testing, penetration testing or other security measures.
For Tim Jarrett and Veracode, handling the healthcare supply chain means creating a "culture of security." App security must always be a part of the discussion and extend beyond internal development to both vendors and vendor communities. "What you thought was secure today may not be tomorrow," Jarrett warns—so test with rigor, test often and test everything.
Photo Source: Wikimedia Commons