Improving Healthcare Application SecurityExpert Discusses Gaps in Protecting Patient Data
Application security, especially for medical devices, needs to be a higher priority because vulnerable apps can create patient safety issues, expose sensitive patient information and raise the risk for ID theft and fraud, says security specialist Mike Weber, vice president at the consultancy Coalfire.
One key area that's often neglected by healthcare organizations when it comes to application security is the firmware used in medical devices, Weber says.
"To date, firmware in embedded devices has been overlooked," he says. The Food and Drug Administration has begun to shine a spotlight on this problem, including issuing recent voluntary guidelines calling on medical device makers to address the security of firmware before they submit their products for pre-market review by the FDA, he notes.
"If security controls are not built into [all healthcare] applications, not only can information be viewed by people not intended to view it, but information may be changed or updated," Weber says in an interview with Information Security Media Group. "That can result in exposure of a patient's private information ... and an attacker gaining enough information to carry out medical identity theft or billing fraud."
While all industries share many similar application security challenges, one of the biggest issues for healthcare is that data often needs to be integrated from many disparate sources, including patient monitoring systems and medical devices, Weber notes. All that multi-source data helps present "a singular vision" into a patient's healthcare, he says.
But along with that comes the challenge of authenticating the sources of real-time data, such as readings from medical sensors, to ensure that data is of "high integrity," he says.
If data being integrated into healthcare applications is coming from sources that are 'not trustworthy,' then decisions made by clinicians based on that data can be faulty, he says. "In healthcare that can include life-threatening decisions ... about treatment in general, and operations within a [medical] facility."
A lack of proper authentication and a deficiency of secure coding techniques in custom development are among the top application security problems Weber says he sees not only in healthcare, but other industries as well.
In the interview, Weber also discusses:
- How medical device security can be bolstered;
- Challenges involved with healthcare entities securing a mix of home-grown legacy applications, off-the-shelf applications, customized third-party software, and hybrid environments;
- How HIPAA privacy compliance requirements complicate application security in healthcare.
Weber is vice president of Coalfire Lab, the technical business unit of risk management consulting firm, Coalfire. He oversees a team that provides penetration testing, vulnerability assessment, incident response and forensics, and application security services. Previously, Weber held management positions at several other firms, including Critigen, CH2M HILL and DynCorp International.