/mar 2, 2021

Healthcare Sector Acts Quickly to Fix Flaws in Software, But Battles Security Debt, Veracode Research Reveals

After a year marked by significant digital transformation for healthcare, developers and security professionals must scan more code and continue to remediate flaws quickly

BURLINGTON, Mass. – March 2, 2021 Veracode, the largest global provider of application security testing (AST) solutions, revealed one in every four applications in the healthcare sector contains a high severity flaw, but the sector acts to fix security issues faster than most other sectors.

The healthcare industry is in a better position with software security because it often deals with applications that are smaller in size, newer, and with a lower flaw density than applications in sectors such as technology, financial services, manufacturing, and government. This contributes to the sector’s ability to fix flaws faster than every other industry aside from retail. At the same time, the healthcare industry tends to be a laggard in how often applications are being scanned for defects and is least likely to scan for flaws in open source components. These factors both contribute to lingering flaws that go unfixed, known as security debt, that could be exploited in cyberattacks.

“Hospitals and healthcare systems are considered soft targets by cybercriminals because they often don’t have the budget or personnel to protect from attacks,” said Chris Wysopal, cofounder and Chief Technology Officer at Veracode. “The threat is obviously greater due to the lifesaving work in this industry. Healthcare companies need to double down on securing their code.”

In 2020, the average cost of a data breach in healthcare was $7.1 million in damages – about double the average cost across all sectors — exposing millions of sensitive records containing personally identifiable information (PII). Phishing, credential harvesting attacks, and social engineering attacks were the most significant security incidents in the past year, according to the 2020 HIMSS Cybersecurity Survey. These threats are compounded by low investment in cybersecurity, lack of employee security training, and disruption of IT operations due to remote work.

Veracode research shows 75% of healthcare applications contain at least one flaw, and 26% are high severity flaws. The sector fixes 70% of the flaws it finds, which puts it behind several other sectors in the amount of fixed flaws. The data suggests that developers in healthcare organizations do a better job handling issues related to CRLF injection and cryptography, which are both important to protect PII. (Click here for Veracode’s interactive Heat Map on flaw types by language).

For more information on common flaws and findings, download Veracode’s State of Software Security Volume 11, and find the SOSS 11 Healthcare Infosheet here.

About the State of Software Security Report

Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry's most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.

About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.

Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.


Press and Media Contacts

Katy Gwilliam,
Head of Global Communications, Veracode
[email protected]
Related Links


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image

    and Tricks

  • resource image

    & Podcasts

  • resource image

    and eBooks