Expecting the Unexpected

In a video interview with Pharma Commerce, Jeffrey Bernstein, director of cybersecurity and data privacy for Kaufman Rossin’s risk advisory services, outlined the top mistakes healthcare organizations make in software development and maintenance from a security standpoint, including a lack of incident response plan; inadequate data encryption; absence of multi-factor authentication; neglecting security development lifecycle (SDL) practices; infrequent security updates and patching; and ignoring regulatory compliance. Bernstein emphasized that proactive security measures and regulatory compliance are essential for healthcare software management. He also dove into some of the most common cyber threats companies are facing, and how he envisions those threats changing over the next decade.

A transcript of Bernstein’s conversation with PC can be found below

PC: What are the top mistakes healthcare organizations make when building and maintaining their software?

Bernstein: I think one of the most significant errors that healthcare organizations make is neglecting security by design and privacy by design principles, so when I look at those top five mistakes, I'm going to apply them to a security perspective. There may be other things, like user testing and other non-security related issues that are important too. These are security focused. First is lack of an incident response plan and having procedures there. Security incidents and events are always going to occur, so it's critical to have a plan and procedures that'll govern what activities should take place when a breach occurs. A good incident response plan will also identify key stakeholders inside and outside of the organization, including law enforcement. Inside would be people like the C-Suite, HR, corporate counsel, etc. Having an incident response plan is critical, because there are always going to be security incidents and events, and if you don't have one, you're in big trouble. The other part of that is having a partner to help you respond if you don't have internal capabilities.

The second one is inadequate data encryption. I think if you look at healthcare software, it often handles sensitive data, including PHI [protected health information]. Failing to implement strong encryption for data that's in transit and at rest is a big mistake. You want to make sure that your sessions, those communications and that this data is not going to be stolen, snooped, or leaked in any way. The third one is really the most impactful piece. When I look at the security investigations that we perform, over and over, we come into a situation where there's a breach, and we determined very quickly that multi-factor authentication was not implemented. Multi-factor authentication is a very simple solution. If these organizations are building applications without it and we’re not requiring it at the end user side, they're making a big mistake. Many of these breaches could be avoided. These compromises could absolutely be avoided if there was multi-factor authentication offered as a feature.

The fourth one is just SDL security practices. When bringing an application or software to the marketplace, it's very critical to have independent security penetration tests performed on those applications before you bring those applications into live production environments. What I mean by that is we do application security penetration tests to see what type of deficiencies, vulnerabilities, and flaws may exist within the software before they are put into production. The other thing is not performing just security tests, but also performing secure code reviews. There’s a saying that says the code never lies, and it's true. If you perform secure code reviews, static reviews, and dynamic reviews, it's a critical part of this, and you'll always identify the flaws, the vulnerabilities, and deficiencies that will allow attackers to access those applications in an unauthorized manner, leak data, and really create chaos on your application.

The other part of the application security process is that as these applications are updated, when new releases are made, it's critical to review those code modules of those updates. Whether they're security updates, functionality updates, if you're not reviewing those code modules as they're put into production, you're making a big mistake. That's four, I've got two more. The fifth one would be just lack of regular security updates and patching. Failure to apply regular updates and patches to software will leave it vulnerable to known exploits, so it has to be done often. Every day, there are new critical vulnerabilities being announced. If you're not patching the software, you're making a big mistake. That's five. I just want to throw in a sixth one, which is really also equally important to the others, and maybe more important in a lot of ways.

When we work with clients, they hire us for two reasons. One is to secure their infrastructure, their applications, and software, but two is to comply with the regulatory mandates that govern them. If you look at regulatory compliance, it has to be on your top list of priorities to be in compliance with the various legal and regulatory mandates that may affect you. In healthcare, it’s HIPAA here in the US. Over in the EU, you have GDPR, and having an expert, trusted advisor can help the organization avoid the pitfalls of being out of compliance with these regulations, but definitely don't ever neglect compliance.