Irregular application testing leaves NHS trusts vulnerable to cyber attacks

Published: 31-Jan-2017

New research reveals nearly half of NHS trusts only scan internal apps once a year for security-related defects

  • Veracode asked NHS trusts how often they scanned systemsn for application vulnerabilities
  • 45% only scanned for problems once a year
  • Only 8% scanned on a daily basis
  • Results highlight risks of cyber attacks

Shocking new research reveals that 45% of NHS trusts scan for application vulnerabilities only once every year, leaving systems open to attacks by cyber thieves.

Veracode released the results of its research this week, also revealing that only 8% of healthcare organisations scan for problems on a daily basis.

In light of recent ransomware and other cyber attacks on healthcare organisations, the industry’s low scores on these application security benchmarks is troubling

This potentially leaves them with outdated software and at an increased risk of a cyber attack, potentially exposing patient data to the wrong hands.

The new findings were gleaned from a Freedom of Information (FoI) request submitted to 36 NHS trusts, with 27 responding.

The responses also revealed that half of health trusts also only scan web perimeter apps once a year as well, leaving patient data at risk of cyber attacks through legacy websites and third-party plug-ins.

There are some promising results, however, with the request also revealing that 12% of trusts scan web application perimeters daily, demonstrating a growing awareness of the role application security plays to safeguard sensitive patient data.

These findings coincide with the recent Veracode State of Software Security report, which revealed healthcare as an industry once again has the lowest vulnerability fix rate globally, with the second-lowest OWASP pass rate and the highest prevalence of cryptographic and credentials management issues.

The report presented metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months, revealing that two-thirds - 67% - of healthcare applications failed OWASP policy compliance.

The below percentages detail the prevalence of high profile vulnerabilities within the global healthcare industry, based on first-time application scans:

  • Cross-site: 45.4%
  • SQL Injection: 28.4%
  • Cryptographic credentials: 72.9%
  • Scripting issues management: 47.7%

The NHS was also one of the worst-performing sectors in terms of the number of data breaches reported to the ICO last year, contributing to 64% of the total figure in the April 2015-March 2016 period.

There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers

Health Secretary, Jeremy Hunt, has also recently announced that data from approved health apps will now feed directly into personal health records, with the NHS website soon to allow patients to book appointments, access medical records and order prescriptions. Indeed, he has called for the NHS in England to be paperless by 2018.

“In light of recent ransomware and other cyber attacks on healthcare organisations, the industry’s low scores on these application security benchmarks is troubling,” said Paul Farrington, manager of EMEA solution architects at Veracode.

“Our new research certainly raises fresh concerns regarding the safety of patient information here in the UK, as well as across the globe.

“There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers.

“The Information Commissioner’s Office has the authority to fine trusts up to £500,000 for data breaches, so there’s even more of a reason for trusts to ensure they’ve placed an emphasis on their cyber hygiene.

“With hospitals correctly demanding rigorous sterilisation of surgical instruments and cleanliness from staff to fight the risk of infections spreading, the same should be considered when assessing their digital cleanliness to defend against the growing - and changing - threat of cyberattackers.”

You may also like