Current State of Healthcare Data Security

A new report has been released by Veracode comparing government mobile application security with other industries, with the report giving an insight into the state of healthcare data security; or perhaps the state that healthcare data security is in would be a better way of phrasing it. Veracode assessed the total number of mobile app security vulnerabilities discovered against those that had been addressed and the healthcare industry fared only slightly better than the government sector; which came bottom of the list.

The use of cloud services and mobile applications can greatly improve productivity and efficiency and this can have a significant impact on patient outcomes. However, the Health Insurance Portability and Accountability Act (HIPAA) demands that all covered entities keep data secure.

Unless security testing for healthcare mobile apps takes place, vulnerabilities may be allowed to exist which could give hackers an entry point into the computer network. Unfortunately, when it comes to the cloud and mobile applications; a lot of security vulnerabilities exist.

The company produced the fourth volume of its State of Software Security report in 2011, but then the report was focused on the government sector. This time around other industries were assessed, as a means of comparison, making the report much more comprehensive, putting the government – and other industry – mobile application security efforts into perspective.

In total, 34 industries were assessed, which were subsequently grouped together into seven vertical markets. Over 200,000 security incidents were analyzed during the study.

The Poor State of Healthcare Data Security

The government sector was found to have only addressed 27% of the mobile application security vulnerabilities that were discovered by Vercode’s software. The healthcare industry was second from bottom, not having addressed even half of the mobile application security issues discovered. Only 43% of the security risks have currently been mitigated, whereas the manufacturing industry has mitigated 81% application security threats.

The report highlights the main issues with healthcare data security; code quality, cryptographic issues and information leakage are the main mobile application security threats. That said, numerous other security holes exist that can allow hackers to use CRLF Injection, XSS, Directory, traversal, insufficient input validation, SQL injection, credential management and time and state vulnerabilities to gain entry, according to the report.

In the press release from Veracode announcing the release of the report, the state of healthcare data security was highlighted: “Given the large amount of sensitive data collected by healthcare organizations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment.”

There is still, clearly a long way to go to improve data security before the full benefits of mobile devices and the cloud can be realized. Hopefully the next report will show significant progress has been made; but that is up to healthcare providers. But with the HIPAA compliance audits looming ever closer, there may not be much time to get data security issues resolved; if a HIPAA violation penalty is to be avoided.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of