Healthcare has ‘plenty to learn from other industries’ about software security

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
 - software security code

If you’ve been following healthcare IT at all over the past few years, even if only as a consumer, you know that providers, payers and governmental health bodies are all vulnerable to hackers and data thieves.  

A new analysis suggests things may be more troubling than you think, showing the industry to be considerably worse at protecting private info than financial services, consumer electronics and software vendors.

The insight comes from the latest Building Security in Maturity Model (BSIMM), an open standard and measurement tool, as captured and released by one of BSIMM’s major sponsors, Cigital.

BSIMM (pronounced Be-Simm) has produced such reports annually since 2008, basing its conclusions on real-world data from more than 100 organizations, according to the report.

This is the first year the initiative included healthcare entities, 10 of which allowed analysts to look under their respective hoods and six of which agreed to be identified: Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health.

Cigital scrutinized 12 core segments of software security practices in a total of 104 participating organizations.

Healthcare trailed other industries in all 12 segments.

The BSIMM model concentrates on data security practices in four domains—governance, intelligence, secure software development lifecycle (SSDL) and deployment—and assigns each three practice areas, ending up with a total of 112 activities.

For example, under intelligence, the practice areas reviewed are attack models, security features and design, and standards and requirements.

In their report, the authors call healthcare “the most interesting new vertical” in the BSIMM initiative. “Simply put, healthcare firms are just getting started with software security … Healthcare is likely to mature quickly now that software security has come into stark focus.”

In a statement promoting the work, Gary McGraw, PhD, Cigital’s CTO, says the addition of healthcare shows “growing awareness of all verticals toward measuring their software security” performance.  

“The healthcare data show that the industry has plenty to learn from other industries when it comes to software security,” adds McGraw.

To download the 65-page report, click here (registration required).