Many NHS trusts are failing to scan internal apps for security-related defects or scan web perimeter apps regularly, potentially exposing patient data to cyber breaches

Nearly half of NHS trusts scan internal apps for security-related defects only once a year, a freedom of information (FoI) request by code scanning firm Veracode has revealed.

With 45% scanning only once a year and less than 8% doing so on a daily basis, NHS trust are potentially left with outdated software, putting patient data at risk due to an increased likelihood of cyber attack.

The findings were drawn from 27 responses to FoI requests sent to 36 NHS.

The responses also revealed that half of health trusts scan web perimeter apps only once a year, leaving patient data at risk of cyber attacks through legacy websites and third-party plugins.

However, the responses revealed that 12% of trusts do scan web application perimeters daily, demonstrating a growing awareness of the role application security plays in protecting patient data. 

The recent Veracode State of Software Security report revealed that the healthcare industry once again has the lowest vulnerability fix rate globally.

The healthcare industry also has the highest prevalence of cryptographic and credentials management issues and the second-lowest pass rate when checked against the top 10 most critical web application security risks identified by the Open Web Application Security Project (Owasp).

The software security report presented metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the past 18 months, revealing that two-thirds of healthcare applications failed Owasp policy compliance.

First time application scans revealed the prevalence of high profile vulnerabilities such as cross-site scripting (XSS) (45.4%) and SQL Injection (28.4%).

The NHS was also one of the worst performing sectors in terms of the number of data breaches reported to the Information Commissioner’s Office (ICO) in 2016, contributing to 64% of the total figure in the April 2015-March 2016 period.

The health secretary Jeremy Hunt recently announced that data from approved health apps will now feed directly into personal health records and that the NHS website will soon allow patients to book appointments, access medical records and order prescriptions.

In January 2013, Hunt called for the NHS in England to be paperless by 2018.

“In light of recent ransomware and other cyberattacks on healthcare organisations, the industry’s low scores on these application security benchmarks is troubling,” said Paul Farrington, manager of Europe, Middle East and Africa solution architects at Veracode.

“Our research certainly raises fresh concerns regarding the safety of patient information in the UK, as well as across the globe.

“There appears to be a lack of emphasis on application and web app scanning in the NHS, which could put trusts at an increased risk of losing patient data to hackers,” he said.

While hospitals demand rigorous sterilisation of surgical instruments and cleanliness from staff to fight the risk of infections spreading, Farrington said many are not doing the same to ensure digital cleanliness to defend against the growing – and changing – threat of cyber attackers.

In June 2016, a survey revealed that IT and security professionals are at odds over application security.

The main differences are around frequency of security updates, time taken to tune application security systems and the size of vulnerability backlogs.

While half of IT professionals update applications once a month, 50% of security professionals feel they need to update applications at least once per day, if not multiple times a day, revealed the survey report by application security firm Prevoty.

The report notes that according to Verizon’s 2016 Data Breach Investigation Report, web applications are linked to the most breaches, accounting for more than 40% of breaches in 2015.

via:  computerweekly