Healthcare Sector Acts Quickly to Fix Flaws in Software, But Battles Security Debt, Veracode Research Reveals

After a year marked by significant digital transformation for healthcare, developers and security professionals must scan more code and continue to remediate flaws quickly

BURLINGTON, Mass. – March 2, 2021 – Veracode, the largest global provider of application security testing (AST) solutions, revealed one in every four applications in the healthcare sector contains a high severity flaw, but the sector acts to fix security issues faster than most other sectors.

The healthcare industry is in a better position with software security because it often deals with applications that are smaller in size, newer, and with a lower flaw density than applications in sectors such as technology, financial services, manufacturing, and government. This contributes to the sector’s ability to fix flaws faster than every other industry aside from retail. At the same time, the healthcare industry tends to be a laggard in how often applications are being scanned for defects and is least likely to scan for flaws in open source components. These factors both contribute to lingering flaws that go unfixed, known as security debt, that could be exploited in cyberattacks.

“Hospitals and healthcare systems are considered soft targets by cybercriminals because they often don’t have the budget or personnel to protect from attacks,” said Chris Wysopal, cofounder and Chief Technology Officer at Veracode. “The threat is obviously greater due to the lifesaving work in this industry. Healthcare companies need to double down on securing their code.”

In 2020, the average cost of a data breach in healthcare was $7.1 million in damages – about double the average cost across all sectors — exposing millions of sensitive records containing personally identifiable information (PII). Phishing, credential harvesting attacks, and social engineering attacks were the most significant security incidents in the past year, according to the 2020 HIMSS Cybersecurity Survey. These threats are compounded by low investment in cybersecurity, lack of employee security training, and disruption of IT operations due to remote work.

Veracode research shows 75% of healthcare applications contain at least one flaw, and 26% are high severity flaws. The sector fixes 70% of the flaws it finds, which puts it behind several other sectors in the amount of fixed flaws. The data suggests that developers in healthcare organizations do a better job handling issues related to CRLF injection and cryptography, which are both important to protect PII. (Click here for Veracode’s interactive Heat Map on flaw types by language).

For more information on common flaws and findings, download Veracode’s State of Software Security Volume 11, and find the SOSS 11 Healthcare Infosheet here.

About the State of Software Security Report

Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry's most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.