Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

The healthcare sector consists of a wide number of segments: payers, such as insurance companies; providers such as hospitals and doctors; and manufacturers, both pharmaceutical as well as medical device and equipment. Because the industry deals with quality of life issues across the spectrum, access to real-time data, especially sensitive data such as patient records, requires both the security and availability of in-house, Web, mobile, or cloud applications.

To understand what C-level security executives think about overcoming both these technological challenges while managing processes and people, Radware surveyed over 600 chief information security officers (CISOs) and other security leaders across six continents. This article provides an overview of key findings from Radware’s web application security report: Web Application Security in a Digitally Connected World.

THE DIGITAL PATIENT

The digital transformation has led to a staggering amount of video and images produced by the healthcare sector. The healthcare sector has created a virtual always-connected world of medical equipment devices that continually transmit unstructured, and potentially unsecure, data 24/7/365. Beyond the data explosion, the healthcare sector must comply with a broad, highly specific set of governmental- and industry-led regulations and standards (e.g., HIPAA, GDPR, local regulations like the FDA guidelines in the US) that control the collection, use, sharing and transmittal of sensitive personal and clinical information.

[You might also like: Web Application Security in a Digitally Connected World]

Healthcare providers have made large CAPEX investments in sophisticated medical equipment. Due to their long lifecycle, many of these devices are connected to old, unpatched systems. In fact, some still run on Windows XP.

Often, IT administrators cannot update or patch these systems for fear of voiding the device’s warranty, making equipment manufacturers a weak link in the medical industry when it comes to securing the environment.

As more data moves through networks within the four walls and out, the healthcare segment struggles to keep up with needed security strategies, technologies and resources that address the level of sophistication fueled by digitization. Data breaches, ransomware and security vulnerabilities such as exposed websites, unencrypted mobile applications, phishing and more have exposed tens of millions of patient and medical records in 2017 alone.

It stands to reason that the healthcare sector would invest in skills, tools and solutions that protect their applications and environments. Yet, of nearly 200 security executives surveyed from the healthcare sector (almost 90% having executive authority to direct security activities and investments) found that healthcare lagged behind other industries such as retail and financial services when it comes to mitigating risk. Just 27% of respondents had confidence they could safeguard patients’ medical records even though nearly 80% are required to be compliant with governmental regulations.

[You might also like: Retail’s #1 Demographic This Holiday? Bots.]

CONFIDENCE AND MITIGATING RISK

Analysis of survey feedback paints a portrait of a sector ill at ease with the growing security demands being placed on their institutions. Nearly two-thirds of respondents have little to no confidence they could rapidly adopt security patches and updates without having an operational impact while 70% said less than 50% of data loss incidents over the past 24 months were fully tracked and patched (see Figure 1).

While 68% of respondents invested somewhat or significantly in security controls following major industry data breaches or attacks, only 21% use API gateways, 23% WAFs and only 29% use both. Additionally, less than 40% analyze API vulnerabilities prior to integration while less than 40% feel that they could detect or mitigate against attacks such as Brute Force, Web scraping, encrypted Web or API manipulations.

• Only 25% of respondents are fully aware of changes made to in-house applications and APIs within their software development environment.
• Sixty-one percent cannot track data shared with third-parties once it leaves the corporate network and 57% do not inspect data that is being transferred/returned via APIs.

THE RISE OF EMERGING THREATS

Beyond addressing existing threats and vulnerabilities that have impacted the healthcare industry over the years, many respondents see the growing threat from emerging technologies. Bots, as with other industries, are becoming more dominant from a generated traffic perspective, with 36% of network traffic in healthcare being bots. However, only 20% of respondents can identify with certainty whether the 36% are good or bad bots.

Because there is more encrypted traffic in healthcare, there is a significant concern regarding encrypted (SSL/TLS) threats and attacks on the application layer. Of all attacks, 41% of respondents indicate that Layer 7 DDoS attacks have occurred more frequently over the past 12 months, though only 30% are confident or very confident they could mitigate one of these attacks against the application layer. Sixty-two percent acknowledge that it would be most difficult to prevent, detect and contain these type of attacks.