Comment: How vital is web application security to healthcare providers?

Andrew Foxcroft, Radware country manager and regional director, discusses how healthcare organisations are struggling to match the security demands of constant application availability

Andrew Foxcroft

In modern healthcare environments, access to real-time data, especially sensitive data such as patient records, requires both the security and availability of in-house, web, mobile, or cloud applications.

Healthcare providers are likely to have invested in sophisticated equipment to help them collect and process data, but due to their long lifecycle, many of these devices are connected to old, unpatched systems

Digital transformation has led to the healthcare sector creating an always-connected world of medical equipment and databases that continually transmit unstructured, and potentially unsecure, data.

Beyond the data explosion, the healthcare sector must comply with a broad, highly-specific set of governmental- and industry-led regulations and standards that control the collection, use, sharing and transmission of sensitive personal and clinical information.

Healthcare providers are likely to have invested in sophisticated equipment to help them collect and process data, but due to their long lifecycle, many of these devices are connected to old, unpatched systems. In fact, some still run on Windows XP.

Often, IT administrators cannot update or patch these systems for fear of voiding the device’s warranty, making equipment manufacturers a weak link in the medical industry when it comes to securing the environment.

As more data moves through networks, the healthcare sector is struggling to keep up with needed security strategies, technologies and resources that address the level of sophistication fuelled by digitisation.

Data breaches caused by unencrypted mobile applications, phishing and more have exposed tens of millions of patient and medical records in 2017 alone. It stands to reason that the healthcare sector would invest in skills, tools and solutions that protect their applications and environments.

However, the responses from nearly 200 security executives from the healthcare sector - almost 90% having executive authority to direct security activities and investments - demonstrate that this is not the case.

In fact, healthcare lags behind other industries such as retail and financial services when it comes to mitigating risk. Just 27% of respondents had confidence they could safeguard patients’ medical records even though nearly 80% are required to be compliant with regulations.

Further analysis of the feedback paints a portrait of a sector ill at ease with the growing security demands being placed on its institutions. Nearly two-thirds of respondents have little to no confidence they could rapidly adopt security patches and updates without having an operational impact, while 70% said less than 50% of data loss incidents over the past 24 months were fully tracked and patched.

As more data moves through networks, the healthcare sector is struggling to keep up with needed security strategies, technologies and resources that address the level of sophistication fuelled by digitisation

Beyond addressing existing threats and vulnerabilities that have impacted the healthcare industry over the years, many respondents see a growing threat from emerging technologies.

One of these is bots, a type of software application that runs automated tasks over the internet. These are typically-simple tasks that can be repeated many times, at a much higher rate than it would be possible for a human to achieve. Now, 36% of network traffic in healthcare comes from bots.

But there are ‘good’ bots and ‘bad’ bots. Good bots serve critical functions, such as online chatbots to help patients who don’t need to see a doctor, and search engine spiders. However, for every good bot in the world, there is a bad bot wreaking havoc through attacks such as web scraping – literally scraping people’s details from a network.

However, only 20% of respondents could identify with certainty whether the bots they see are good or bad. And, because there is more encrypted traffic in healthcare, there is a significant concern regarding encrypted threats and attacks on the application layer.

So, what can healthcare providers do? With so much public scrutiny following the WannaCry attack earlier this year, there’s much to do to win the public’s trust. Starting the basics has to be a priority otherwise the adoption of more sophisticated health care technology will only fail.

This should comprise a security gap assessment, identifying and analysing where risks exist in processes, systems and security tools. This should include Web Application Firewall requirements and maintenance, frequency of policy and signature updates across all security devices, and the ability to distinguish between good and bad bots.

Beyond addressing existing threats and vulnerabilities that have impacted the healthcare industry over the years, many respondents see a growing threat from emerging technologies

Additionally, they should ensure that security and application development teams have a real-time communications methodology to minimise threats to mobile, web, and third-party applications. And, finally, develop a realistic budget that ties security investment to quantifiable ROI but also accounts for emerging threats and new technologies.

All of this will take cash, but when the threat of breaches is so high, and pubic expectations are high too, it’s no longer an unavoidable expenditure.

Companies