Skip to content ↓ | Skip to navigation ↓

A new study assessing enterprise software security development found that the healthcare industry is lagging significantly behind other sectors, including financial services, consumer electronics and independent software vendors.

The latest Building Security in Maturity Models (BSIMM) study – a software security measurement tool built on real-world data – studied the internal software security programs and practices of nearly 80 enterprises, including 10 firms in healthcare.

The results found healthcare organizations performing consistently poor, and ranking the lowest, across all of the software security practices evaluated—a first in the history of the study.

Nonetheless, Gary McGraw, CTO at application security firm Cigital—whose data contributed to the study—says the fact that the 10 healthcare organizations are “doing software security at all puts them head and shoulders above most other healthcare firms.”

The software security practices assessed included:

  • Governance – Strategy & Metrics, Compliance & Policy, Training
  • Intelligence – Attack Models, Security Features & Design, Standards & Requirements
  • SSDL Touchpoints – Architecture Analysis, Code Review, Security Testing
  • Deployment – Penetration Testing, Software Environment, Configuration Management & Vulnerability Management

McGraw adds that the Health Insurance Portability and Accountability Act (HIPAA) may be part of the problem, as it often gives healthcare organizations a false sense of security.

“[HIPAA] over-focused the healthcare domain on privacy and patient privacy data, which is an important thing,” said McGraw. “But there are many other aspects of security that have little to do with privacy.”

In the wake of several major data breaches affecting the industry earlier this year—such as the incidents at Anthem, Premera Blue Cross and Excellus—the study’s results further confirm underlying issues in healthcare software security practices.

Meanwhile, a recent report published by Raytheon and Websense revealed that healthcare organizations are two times more likely to be hit with a data breach than any other verticals.

The report also states the healthcare industry currently sees 340 percent more security incidents and attacks than any other industry, making the sector significantly more vulnerable to data theft.