HIMSS and Veracode Survey Reveals Application Vulnerabilities are Top Cybersecurity Concern for Healthcare Providers

Loss of Life, Brand Damage and Regulatory Enforcement Top Three Fears

BURLINGTON, Mass. — January 21, 2016 — Veracode, a leader in protecting enterprises from today’s pervasive Web and mobile application threats, today issued findings from a joint Healthcare Information and Management Systems Society (HIMSS)/Veracode survey of 200 healthcare IT executives revealing how application security is viewed and addressed by healthcare providers across the US. The number one concern of these executives was the exploitation of vulnerabilities in web, mobile and cloud-based applications. Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches.

As a single healthcare record brings nearly 10 times the value of a stolen credit-card number, combined with the competitive differentiation of intellectual property (drug or device development, billing processes, care procedures, etc.), it’s no wonder healthcare providers are being attacked. In fact, the number of records stolen has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015, according to the U.S. Department of Health and Human Services.[1] The rapidly expanding IT footprint, a bottoms-up technology culture where centralized security policies are difficult to enforce and significant skills gaps around security create formidable challenges for healthcare providers to secure patient data.

Healthcare Providers Have Fear of Liability

Liability over a breach is top of mind and providers are taking action to address their exposure. To meet liability requirements, 57 percent of survey respondents say they are increasing spending on third-party security assessments, such as code audits. Another 56 percent are inserting liability clauses into contracts with commercial software vendors to lessen the risk exposure from their software supply chain. And more than half are implementing standard frameworks such as SANS Institute Security Controls as a means to create a baseline security posture from which future improvements can be benchmarked.

Overcoming Bottoms-Up Cultural Constraints

One of the biggest challenges healthcare organizations face is addressing the fact that much of the decision-making authority is held by the doctors themselves, rather than in a centralized manner. This bottoms-up culture means that it becomes very difficult for a CISO to implement consistent security controls across departments, resulting in serious vulnerability issues for the organization.

Some healthcare organizations have already started to push to address this challenge by making cybersecurity a top institutional priority, with 65 percent reporting investment in security technologies that enable governance policy enforcement; 51 percent investing in training initiatives to educate department heads about cybersecurity; and 44 percent pushing the CEO to be an advocate for centralized IT-security policy across all departments.

“There’s a perfect storm brewing for 2016 in healthcare and if things continue as-is, we’re likely to see an increased plundering of medical records leading to increases in insurance fraud, illegally purchased medical equipment and controlled substances, or something even worse,” said Chris Wysopal, CTO and CISO, Veracode. “Remedying the problem starts with a good look at how healthcare-related software is built and making sure that security is a priority. In fact, our data from actual code-level analysis of billions of lines of code shows that 80 percent of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning.” 

The joint HIMSS/Veracode white paper with more detailed statistics and conclusions from the survey can be found at https://info.veracode.com/whitepaper-state-of-web-and-mobile-application-security-in-healthcare.html.  An infographic based on the findings can also be downloaded here https://www.veracode.com/blog/2016/01/state-web-and-mobile-application-security-healthcare


The HIMSS-Veracode “The State of Web and Mobile Application Security in Healthcare” survey was conducted electronically over the course of four weeks in late 2015. All of the 200 respondents are senior IT security executives of hospitals across the country. 

[1] Breach Portal. U.S. Department of Health and Human Services. Accessed at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf