With the use of health technology booming amid COVID-19, we talk to Matias Madou, co-founder and CTO at Secure Code Warrior about some of the biggest cybersecurity threats facing the healthcare industry today…
1. What are the biggest cybersecurity threats facing the healthcare industry today?
The healthcare industry, like many others, is facing a catch 22. It is only through technology that the field of medicine has seen innovations that have altered life as we know it, but at the same time, it has become one of its biggest threats. In April, INTERPOL warned of a significant increase in cyber-attacks against hospitals involved in the COVID-19 response and that attacks could “directly lead to deaths.”
The sheer amount of connected medical devices has significantly increased security vulnerabilities due to the vast amount and importance of the data they hold, making them a major – and lucrative, target for cyberattacks. Alongside this has been the rise of SQL injections – a weakness in an applications’ security that allows an attacker access to an app’s database.
This control can result in all sorts of issues, including deleting data or changing the behaviour of the application itself – which for a medical device can be extremely dangerous. As of March 2019, SQL injections accounted for nearly two-thirds (65.1%) of all web application attacks.
Unfortunately, hackers are continually trying to find new ways to compromise healthcare systems, so it is up to the industry’s IT leaders to take responsibility for solving the root of the problem – vulnerable code – and empowering developers with practices to ensure all code is safe from the outset.
2. How can healthcare organisations ensure that the solutions they are using employ cybersecurity measures in the most effective ways?
Organisations need to be thinking long term about how to best maximise security. It is no good relying only on vulnerability scanning tools to secure your organisation’s IT infrastructure. Whilst they may be able to provide a quick fix to cybersecurity vulnerabilities, you cannot be sure they will be sensitive enough to pick up every part of the insecure code, and it can take a long time to remediate the backlog of vulnerabilities.
When buying solutions (software), the buyer tends to specify their security requirements in the contract. The buyer will then perform a spot-check to ensure those are met. This quite often pushes the creators of the software into doing reactive security, more than taking a proactive approach. The customer might say, “employ a static analysis solution and show us the outcome”. As a result, quite often the least performing static analysis solution will be used, and only what comes up will be fixed. It is better for the buyer of the software to work with and/or vet the company to see if they really want to create secure software, rather than do the bare minimum to get the contract across the line.
For healthcare organisations that are building applications, it is far better to ensure developers are writing functional and secure code from the outset, rather than try and put a plaster over the mistakes after the code has been written, much like a scanning tool does. It’s imperative to encourage developers to upskill their security capabilities as a way of increasing their organisation’s security posture, but also growing their own career as a highly valuable developer.
3. How can solution providers maintain a proactive approach to cyber security?
Whilst developers may be producing the insecure code, the blame does not squarely fall on them. Cybersecurity practices have to be implemented from the leadership team down in order for them to be effective. If leadership teams don’t take responsibility, the rest of the organisation is likely to follow suit.
It is not always easy to encourage developers to put security first, but demonstrating the danger and risks posed by ignoring it, particularly in the healthcare industry where lives are at risk, needs to be the first step. This should be followed up with teaching developers how to code securely in the most effective way. You are not likely to change a developer’s mindset with traditional teaching methods like classroom-based training, or hours of videos irrelevant to their day jobs. In order to captivate their attention, they must be given the opportunity to get hands-on, learn by doing, and receive dynamic exercises that mimic the code they would actually see. This is why all of Secure Code Warrior’s developer programmes are gamified, as it ensures the developer is engaged and actively testing their secure coding skills.
4. How can a start-left approach to coding securely help the healthcare industry?
The start-left approach is about taking a step back and remediating the problems of insecure code at their root. If developers are trained to be able to write secure, functional code from the outset, then vulnerabilities become increasingly unlikely to pose a significant risk to organisations and in-turn their patients.
We cannot expect mousetrap-type scanning tools to alleviate all worries of insecure IT infrastructure, especially when the data is as private and confidential as healthcare data. Instead, it is a far better use of resources to encourage developers to widen their skillset and incorporate security into their everyday coding practices, otherwise known as, the ‘DevSecOps’ approach.
5. Why is it important to take a DevSecOps approach to security in healthcare?
The DevSecOps approach involves prioritising security in every line of code that a developer ships. This is the only way to increase the chance that the code is entirely secure from the outset, and protects healthcare IT infrastructure from risking cybersecurity breaches in the future.
Security has traditionally been the responsibility of a small proportion of developers. Security experts are rare, and are, on average, outnumbered by developers at a ratio of 100 to 1. As a result, we can’t rely on security experts to pick up on code vulnerabilities once they have been written. By taking a comprehensive DevSecOps approach, you are sharing the responsibility between the whole developer team, and cutting out the extra resources that were previously needed to ensure security.
It’s important to remember that it is in everyone’s best interest for healthcare providers to be prioritising security and learning from the mistakes of the past.