Most patients practice preventative care through regular trips to the doctor, catching minor issues before they turn into major medical problems. So, why don’t more organizations follow suit with security testing to prevent breaches and fortify the safety of patient information?
Too often, remediation is an afterthought as developers scramble to patch holes in their systems post-breach. A recent report in the journal of Health Services Research suggests that this herculean effort can put a strain on patient health when things slow down after a breach and new security measures are introduced. However, preventative care can work in the security world just as it does for your health.
Less isn’t more in healthcare cybersecurity
Some experts and industry thought leaders see unfortunate breaches as opportunities to better understand what went wrong and how it can be prevented in the future. Unfortunately, information from these breaches sometimes muddies the tumultuous waters of cybersecurity and can cause panic over increased security procedures.
Josephine Wolff, assistant professor of cybersecurity policy at Tufts Fletcher School of Law and Diplomacy, found that the 2019 report published in the journal of Health Services Research draws dangerous conclusions about the negative impacts of mitigating cyberattacks in healthcare. The HSR paper proposes that lost passwords and associated security measures—like two-factor authentication—hold up patient care with increased wait times for ECGs and result in higher rates of fatal heart attacks. A point, they suggest, that should lead to less aggressive security efforts.
In her article, Wolff proposes that a slower remediation process is precisely why more medical institutions should view this as a crucial pivot point, not a nuisance. She explains, “Undoubtedly, IT upgrades and updates can inconvenience workers and slow down operations in any workplace, but that is a reason to develop techniques and processes for implementing them more smoothly—not to write them off as harmful and counterproductive.” Even the most basic preventive actions are crucial best practices, and they’re just a starting point.
The cyberattack epidemic in healthcare
Data from the last decade shows just how damaging breaches can be for institutions and patients alike. According to HIPAA Journal, there were 2,546 healthcare breaches from 2009 to 2018 that exposed over 180,000,000 patient records to attackers, resulting in costly settlements and fines for HIPAA violations. Additionally, figures from the Protenus 2019 Breach Barometer report reveal that in 2018 alone, the healthcare sector saw a whopping 15,085,302 patient records breached—a number that nearly tripled from 2017 to 2018.
These trends are alarming but important to watch. Our 10th annual State of Software Security (SOSS) report examines trends in various industries, including healthcare, and the data sheds some light on why it’s so crucial for organizations to get a jump on security measures.
We found that healthcare institutions have the highest prevalence of severe flaws at 52 percent and are the slowest to fix said flaws, with a median time-to-remediation (MedianTTR) of 131 days. All this typically contributes to security debt, which accumulates over time as more and more flaws are left uncorrected.
Daunting security debt is a problem that your DevOps team can tackle with the right processes in place, including a steady cadence of scans. Our SOSS report found that those who conduct up to 12 scans per year have a MedianTTR of 68 days, while those who scan more than 260 times per year have a MedianTTR of just 19 days (that’s a substantial 72 percent reduction in remediation time).
Increasing the regularity of your scans can have a lasting impact on security debt. In fact, we found that frequent scanners carry 5x less security debt than sporadic scanners who lack a reliable testing process. The remedy is clear: scanning often and speeding up fix rates to mitigate severe flaws will cause far fewer headaches in the future and, ultimately, prevent downtrends in patient care.
A process-minded prognosis
The good news in this year’s SOSS report is that healthcare institutions have a fix rate of 72 percent, which is decent when compared to other industries. Still, hospitals and healthcare providers must stay on top of application scanning to increase frequency and efficiency, cutting down their MedianTTR.
The solution? Shifting DevSecOps behaviors from reactive to proactive through keener code management and more thorough remediation processes. This entails making sure security programs:
- Include a trained team of security-minded developers
- Cover all applications across your health organization
- Include a frequent and steady scanning cadence
- Have ample resources developers can tap into for testing and fixes
- Are adaptable enough to handle shifting landscapes in cybersecurity
- Are equipped to cover third-party vendors used by the organization
Taking steps towards a well-rounded security program not only bolsters your defense against attacks but also sheds light on wrinkles in your remediation process that need ironing. With these measures in place, if a breach or a cyberattack occurs, your healthcare organization will be better equipped to handle issues with minimal to no impact on patient care.
Learn more about cybersecurity in healthcare
Like what you see? Find more info about the state of cybersecurity for healthcare by downloading our SOSS Volume 10 Industry Snapshot, and then check out the full report to keep a pulse on the shifts in DevSecOps over the last ten years.