Security Risks in Software DevelopmentSurvey: Using Real Data Poses Real Risks
Some 78 percent of U.S. healthcare organizations use real patient data when working on software development, while 65 percent use real data when testing applications, a recent survey of 462 IT staff at healthcare organizations shows.
Thirty-eight percent of those that use real data in development and testing say that such data had been lost or stolen at their organization. And that represents a serious threat to health information privacy.
Consider using de-identified, masked or dummy data rather than live data in the test and development process.
About half of survey respondents report their organization does not protect real data used in software development and testing. Only 13 percent mask sensitive or confidential data elements, while 46 percent take steps to control access to the data files and databases involved.
In addition, 49 percent report that their organization uses less stringent safeguards when protecting sensitive or confidential data used for software development and testing than they do in the "production" environment. Considering how common the loss or theft of such data apparently is, security safeguards clearly merit closer attention.
The Ponemon Institute conducted the survey for Informatica.
The study also finds that 34 percent of respondents always or frequently outsource the development and testing of applications, and in about half of those cases, they share real data with the outsourcer.
Only 29 percent use a cloud computing infrastructure or platform for software development and testing. Of those, 46 percent said they are not confident that data housed in the cloud environment is safe and secure.
Keeping Health Information SecureIn its report on the survey results, the Ponemon Institute offers some important reminders on how to keep patient information safe in compliance with HIPAA, including:
- Assign a single person to be responsible for safeguarding real data used in application testing and development;
- Create policies and procedures for the protection of the real data used;
- Educate employees about the importance of protecting this test data;
- Use encryption,data loss prevention, access management and other information security technologies;
- Consider using de-identified, masked or dummy data rather than live data in the test and development process.
That last point appears to be the most important tip to keep in mind, given this survey's results.