While we have seen many organizations in the healthcare industry with mature security postures, as a whole the healthcare industry continues to struggle with security. According to the latest release of Digital’s Building Security in Maturity Model (BSIMM6), the healthcare industry lags behind other sectors when it comes to software security.
Based upon interviews with 104 respondents in software security across several industries, the BSIMM assessed software security practices in the areas of governance, intelligence, secure software development lifecycle, and deployment. Each area was assessed in depth; for example, governance included an assessment of compliance and policy, metrics and training. This is the first time the BSIMM has been applied to the healthcare industry, with the insights of the 10 participating healthcare firms less than favourable.
According to the study, healthcare organizations scored lower than other industries in all 12 software security practices. Gary McGraw, Digital’s chief technology officer and author of the report, believes that healthcare organizations have been focused on patient data privacy, thanks to pressure from regulations such as HIPAA, but that has come with a lack of focus on security. This is ironic, given that poor security can lead to the loss of patient data.
Despite poor performance, there was recognition that the healthcare industry has a growing awareness of its need to improve. The report offers insights from the organizations considered most mature in terms of software security, which offers insight into how to bolster this layer of security defences.
The report is based upon the premise that benchmarking is valuable as a tool to security planning, which it is, but it is always important to remember that though there will be overlap, each organization has its own unique risk profile, and own unique needs for security. In a recent article, Absolute’s Stephen Treglia talked about the dangers of a “one size fits all” approach in healthcare and how to conduct security risk assessments (SRAs) and lay out layered defences based upon that assessment.
At Absolute, we work with organizations to provide unparalleled visibility into the entire device ecosystem. In healthcare, our persistent endpoint security and data risk management solution, Absolute DDS, is paired with expert support to respond to, and control, security incidents. Each organization can customize the risk conditions that would create a security alert and risk response, giving the ultimate in customized endpoint security control. Our risk assessment includes insight into the status of encryption, anti-malware and the use of non-compliant software. Learn more about Absolute DDS for Healthcare.