To address health-network issues, first priority goes to defending the front line: applications. The rise of enterprise-grade cloud computing and powerful mobile devices has significantly changed the app landscape. In a recent survey of healthcare enterprises, Veracode found that while 34 percent of applications are still designed internally, 42 percent are sourced from commercial vendors and 24 percent are outsourced to third parties for development. The result is a network landscape full of shifting priorities and permission requests, and at its perimeter stands a mixed bag of apps —some internal, some not, some properly tested and others in need of review. Beyond these apps? Internal systems handling thousands of health records each day. In other words, tempting targets.
Not So Different after All
According to Pejman Pourmousa, director of customer success at Veracode, the real gap in healthcare security isn't between internal apps and their third-party counterparts. The difference is much simpler: apps in robust application security (AppSec) programs versus apps that aren't. Whether they're third-party, commercial or internally developed doesn't matter, says Pourmousa, since "both third-party and internal applications are easy entry points into an enterprise's internal networks." He recommends that low-priority apps go through the same kind of rigorous testing as their mission-critical counterparts — even a simple breach can lead to much bigger problems if attackers gain access to a network at large.
A New Way
If healthcare enterprises continue to use ad-hoc app testing, it's expected that security spending on internal applications alone will reach more than $3 million per agency in 2015, creating a $2 million gap between needs and estimated budgets. A programmatic approach eliminates the need to treat internal and external apps differently, and provides a long-term foundation for solid application security. "Once you have that approach in place," says Pourmousa, "it gets much easier to close the gap between apps that are in your program and apps that are not."
Healthcare security remains a challenge for enterprises, with many struggling to find the ideal balance between patient access and information security. For some, the gap seems insurmountable. But there's a simple starting point: Secure all apps using the same repeatable framework, and the distance between "risk" and "reliability" will start to close.
Photo Source: Wikimedia Commons