75% of Apps in the Healthcare Industry Have a Security Vulnerability

In light of the current pandemic, our healthcare industry has been challenged like never before. Healthcare workers heroically stepped up to the plate, caring for those in need, while the industry itself digitally transformed to keep up with the influx of patient data and virtual wellness appointments.

The increase of digital activity has brought about new security threats with cyberattackers targeting patient data. In fact, according to a recent article in Modern Healthcare, “the FBI and two federal agencies warned cybercriminals were ramping up efforts to steal data and disrupt services across the healthcare sector.” In September, a ransomware attack affected over 250 U.S. hospitals and clinics, preventing the use of critical emergency room equipment that relies on ethernet cabling.

The increase in cyberattacks in the healthcare industry is important to note because, according to our recent State of Software Security (SOSS) report, 75 percent of applications in the healthcare industry have a security vulnerability and 26 percent have high-severity security vulnerabilities.

Our SOSS data shows that the healthcare industry has a fix rate of 70 percent, a lower rate than average when compared to other industries. But, on a positive note, the industry ranks second in the median time it takes to remediate flaws. This suggests that healthcare organizations move quickly to address security flaws in order to keep security debt from getting too out of hand.

The SOSS report also examines how “nature” and “nurture” influence applications. We found that the “nature” of applications – like organization or application size, application age, or flaw density – can affect how long it takes to remediate a security flaw. But, “nurturing” applications – like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs to scan for security – can also influence how long it takes to remediate security flaws.

In terms of nature, healthcare organizations may be a little on the large side, but applications are fairly new and reasonably sized. The applications also have a low flaw density, which means flaws are present only in certain parts of the application.

In terms of nature, the healthcare industry is average compared to others for API usage and excels at scanning on a steady cadence and using dynamic application security testing. To improve its fix rate and median time to remediation, the healthcare industry needs to follow more DevSecOps best practices by improving its scan frequency and implementing software composition analysis. As Chris Eng, Chief Research Officer at Veracode notes, “the healthcare industry scans on steady cadence, like clockwork, but they aren’t scanning frequently enough. By increasing the frequency of scans, we could start to see improved fix rates.”

The healthcare industry should be proud of its developers for doing a good job handing issues related to CRLF injection and cryptography. Injection flaws are considered by OWASP Top 10 to be the number one most critical security risk to web applications, but they are less prevalent in healthcare applications than other applications.

For more information on software security trends in the healthcare, check out The State of Software Security Industry Snapshot.