Personally identifiable information (PII) is rapidly becoming a hot commodity for cybercriminals, since it lets them file false tax returns and create fake credit-card accounts. But the most valuable PII? Healthcare data. Once compromised, thieves can use this data to claim medical benefits and obtain prescription drugs. According to Healthline, healthcare security took a beating last year, with 44 percent of total identity breaches targeting the medical-services industry. As noted by Modern Healthcare, more than 12 percent of all Americans have suffered some kind of healthcare-related information breach; in addition, Community Healty Systems (CHS) was recently breached by Heartbleed, causing millions of records to be compromised. So, what's the problem? Are cybercriminals too difficult to stop, or are health agencies simply unable to find adequate protection against attackers? And is there any way to close the gap?
To address health-network issues, first priority goes to defending the front line: applications. The rise of enterprise-grade cloud computing and powerful mobile devices has significantly changed the app landscape. In a recent survey of healthcare enterprises, Veracode found that while 34 percent of applications are still designed internally, 42 percent are sourced from commercial vendors and 24 percent are outsourced to third parties for development. The result is a network landscape full of shifting priorities and permission requests, and at its perimeter stands a mixed bag of apps —some internal, some not, some properly tested and others in need of review. Beyond these apps? Internal systems handling thousands of health records each day. In other words, tempting targets.
Not So Different after All
According to Pejman Pourmousa, director of customer success at Veracode, the real gap in healthcare security isn't between internal apps and their third-party counterparts. The difference is much simpler: apps in robust application security (AppSec) programs versus apps that aren't. Whether they're third-party, commercial or internally developed doesn't matter, says Pourmousa, since "both third-party and internal applications are easy entry points into an enterprise's internal networks." He recommends that low-priority apps go through the same kind of rigorous testing as their mission-critical counterparts — even a simple breach can lead to much bigger problems if attackers gain access to a network at large.
For Pourmousa, the critical element of any effective AppSec strategy is a "programmatic approach." He describes such an approach as "a repeatable way of helping teams adopt and improve their uses of secure development best practices — that way, no matter where the software ends up, it is harder for attackers to exploit." By running every app — internal and external alike — through the same rigorous testing process, nothing gets missed. The same goes for mobile devices, which are often easy points of compromise for industrious cybercriminals. Mobile-app developers must certainly evaluate their code using both static penetration tests and behavioral analysis, but, as Pourmousa notes, "Without a mandate for secure development practices and an approach to simplify adoption of those practices, it'll be hard to get mobile development teams to properly test their apps for security risks." Bottom line: Closing the gap means putting every app — origin and device type notwithstanding — through the same rigorous assessments.
A New Way
If healthcare enterprises continue to use ad-hoc app testing, it's expected that security spending on internal applications alone will reach more than $3 million per agency in 2015, creating a $2 million gap between needs and estimated budgets. A programmatic approach eliminates the need to treat internal and external apps differently, and provides a long-term foundation for solid application security. "Once you have that approach in place," says Pourmousa, "it gets much easier to close the gap between apps that are in your program and apps that are not."
Healthcare security remains a challenge for enterprises, with many struggling to find the ideal balance between patient access and information security. For some, the gap seems insurmountable. But there's a simple starting point: Secure all apps using the same repeatable framework, and the distance between "risk" and "reliability" will start to close.
Photo Source: Wikimedia Commons