Keeping code healthy: why AppSec must be a strategic priority in healthcare transformation

Healthcare organisations have been on the front line in more ways than one in the past two years. While responding to the biggest public health crisis of the modern era, they have also faced a disproportionate rise in cyber-attacks. The pressures of the pandemic, together with IT systems that have not kept pace with the requirements of modern security, left the sector vulnerable.??

Cybercriminals were not slow to capitalize. Ransomware has been a particularly successful tactic because, in healthcare, disrupted systems don’t just threaten financial wellbeing and productivity, in the case of healthcare settings they also pose a threat to life. That makes it more likely that victims of ransomware attacks will pay ransoms - fast.?

But it is not just the immediate prospect of easy cash that attracts cybercriminals to the healthcare sector. Healthcare organisations gather, store, and share some of the most sensitive and valuable types of data. Whether it is personally identifiable patient information (PII) or corporate data and research and development IP, hackers can make a lot of money by selling it on the dark web.?

The sensitive personal information managed by healthcare organisations means they are among the most highly regulated when it comes to data protection. Healthcare data is defined as special category data under the terms of the EU GDPR, making it subject to a higher standard of protection. In the US, the Health Insurance Portability and Accountability Act 1996 (HIPAA) applies special protections to healthcare data. As a result, health organisations face both a high threats and high compliance burdens.????

Building back better: hardening healthcare IT against attackers?

Recently a well-publicised ransomware attack on Ireland’s Health Service Executive (HSE) had wide-ranging impacts including the forced cancellation of critical treatment appointments. The HSE was still dealing with the after-effects of the attack months later.?

This pointed to an urgent need to review the sector’s approach to cybersecurity. As part of its response, the HSE commissioned consultants PWC to identify the priorities for tackling cyber risk. The extensive report found a need for complete transformation in the organisation’s approach to IT, Operations Technology (OT) and Cybersecurity, noting that:?

“The parts of the health service that were arguably best-equipped to maintain clinical services in the face of prolonged IT outages were those that rely on paper records for patient services. Whilst this was a positive feature in managing the Incident, it highlights the extent to which modernisation is required across the health service to enable the adoption of digital health services. Reducing cybersecurity risk requires both a transformation in cybersecurity capability and IT transformation, to address the issues of a legacy IT estate and build cybersecurity and resilience into the IT architecture.”?

This transformation process is a defining challenge for the healthcare sector. The pressures of the pandemic demonstrated an urgent need for remote digital healthcare services to enable better, faster care and support improved patient outcomes.??

Achieving this will entail a robust approach to application security, because digitised services – whether they are directly related to patient care or focused on the management and efficiency of healthcare providers – must be future-proof and protected from malicious cyber-attacks. Also – to comply with the relevant regulations – they must be secure by design.?

?

Transformation pressures can increase security risk?

Organisations need to focus on the health of their code base if they are to transform securely, but there are competing pressures that can make this difficult. When developer teams are under pressure to deliver transformation, tension can arise between application delivery schedules and making sure that apps are secure before they go into production.??

The challenge is that even the most conscientious developers can make errors in custom code. Also, although using open-source libraries is essential if teams are to meet delivery schedules, open source components can introduce security vulnerabilities and compliance risks. Even if the organisation has an AppSec tool that scans for vulnerabilities, it may not be adopted by time-pressured developers – especially if it generates too many alerts, false positives, or non-material issues.???

The outcome is that applications can hit a bottleneck when they need to be optimised for compliance by AppSec teams, and backlogs can result, slowing the pace of transformation.?

Resolving this tension requires a combination of intelligent tools and AppSec expertise that: empowers developers to spot and fix security issues earlier in the development lifecycle; increases the relevance and materiality of alerts; and improves the health of the code base over time.?

The Checkmarx AST platform integrates seamlessly with developers’ preferred IDE and can be configured to scan code automatically at key points in the SDLC, delivering results directly into the IDE along with best-fix locations and advice.??

Crucially, by tuning the platform to the organisation’s risk policies, including compliance requirements with HIPAA and other regulations, noise can be reduced so developers are only alerted to material issues that must be addressed. Over time, this gives developers greater confidence in the tool and makes them more willing to adopt it because they know they aren’t wasting their time chasing down false positives or irrelevant issues.?

The power of professional services expertise?

Not all organisations have the in-house technical expertise to handle their AppSec burden, particularly during periods of rapid digital transformation. The resulting backlogs can seem like a mountain to climb. Solutions such as Checkmarx AppSec Accelerator can help, with highly skilled Checkmarx experts delivering threat modelling, optimisation and triage designed to improve the health of the code base over time and significantly increase the pace at which the organisation can publish its applications. Further, by integrating Checkmarx experts with in-house teams, AppSec Accelerator helps build internal capability and corporate memory, putting the organisation in a better position to continue its digital transformation journey in the future.?

The healthcare sector will continue to face considerable pressure as it balances digitisation with ensuring it has a strong defense against malicious attacks. There’s one certainty around the critical digital transformation of healthcare services: it will mean more code. Making sure this code is secure must be a priority and is why AppSec should be a key consideration.??????