9 minute read time

What are Solutions for AppSec Challenges in the Healthcare Industry?

by   in Cybersecurity

In part one of my blog series, “Application Security Challenges in the Healthcare Industry,” I looked at common application security issues in healthcare, including outdated and complex systems or components with known vulnerabilities and the lack of a managed application security testing program. 

What are Solutions for AppSec Challenges in the Healthcare IndustryNow let us look at some of the solutions to counter these challenges and how Fortify helps in securing the healthcare applications along with achieving the applicable regulatory compliances in healthcare. 

Best Practices for Security Assurance for Healthcare Applications

These are some of the prioritized best practices that CyberRes advocates for application security assurance at healthcare industry, which includes, but not limited to:

  1. Encryption: Healthcare data in applications/APIs must be encrypted during TRANSIT, at REST and during PROCESSING. The encryption of data at rest should include strong encryption methods such as AES or RSA, while data in transit should use the latest version of TLS.
  2. DevSecOps: Focus in the healthcare industry must be to amalgamate security by shifting left as early and as far as possible in the SDLC. This is where Fortify comes with its gamut of products to provide out of box integration with all the most commonly used DevOps frameworks, tools and SDKs, both on-premise and on cloud.
  3. Session Management: Implement water-tight security controls for sessions management across the healthcare application. With the goal of implementing secure session IDs to avoid disclosure or compromise of PII/ PHI data, the session identifiers (IDs or tokens) must adhere to these best practices, which includes but not limited to:
  • Avoid Session ID Name Fingerprinting, Use Long Session ID Length, Use Session ID Entropy (random), Use Unpredictable Session ID Content (or Value), Usage of Cookies (define advanced token properties, such as the token expiration date and time, or granular usage constraints), Use Built-in Session Management Implementations in web development frameworks, Use Transport Layer Security, Use Secure cookie attribute, Use HttpOnly cookie attribute, Use SameSite Cookie attribute to mitigate the risk of cross-origin information leakage, Use Domain cookie attribute, Use Path cookie attribute, etc.
  1. RBAC and MFA: Implement role-based access control along with multi-factor authentication (Biometric, OTP, T-OTP, etc.) across the healthcare application.
  2. Regular Remediation: Ensure to have a well-defined and managed vulnerability management process for healthcare applications along with associated sub-processes of prioritization and remediation. Define severity of vulnerabilities and proper SLAs for their remediation.
  3. Software Security Assurance: Ensure to conduct regular SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing) and SCA (Software Composition Analysis) scans of code, apps, s/w, APIs, open-source components used in interconnected healthcare applications and IOT devices.
  4. Healthcare Compliances: There are compliances and standards which are widely being followed by healthcare industries to ensure security of their healthcare data and applications. All these provides critical application security controls which are fulfilled by Fortify and help healthcare applications and organizations, to become secure and compliant. Some of these specific and global compliances are as follows:

·       NIST

·       COBIT

·       HIPAA

·       ISO 27001

·       CCPA

·       HITRUST

·       GDPR

·       Quality System Regulation (QSR) for medical devices

·       CIS

·       PCI and Local Compliances

Note: At the end of this blog, we have discussed the approach that we follow to help our customers and partners comply to global and specific healthcare compliances and standards using Fortify.

Fortifying Healthcare Applications

We at CyberRes are exorbitantly focused in fortifying healthcare applications and are working incessantly to come up with most practical ways of achieving security assurance. Our focus areas are:

  • To have a continuous visibility of healthcare’s digital footprint (known and unknown) and maintaining an up-to-date inventory so that their security could be effectively managed.
  • To have a sustainable eco-system of integrated tools and technologies to continuously secure software supply chain by continuously assessing the security of the acquired applications or web services before integrating them with backbone network.
  • Shift Left SAST & DAST as much as possible and as quickly as possible to ensure that security meets the pace of devops in healthcare apps and does not go unnoticed in any phase of SDLC.
  • To have an enhanced governance of the CI/CD pipeline by automating the continuous integration and deployment of applications and implementing security and quality gates in the pipeline.
  • To secure API endpoints, open-source composition analysis and third-party integrations.
  • To fortify legacy healthcare apps by implementing proper security controls and validating them with proper legacy-sensitive scan profiles using Fortify’s Web Inspect.
  • Ensure compliance to various healthcare technical standards and compliance. 

Fortify For Healthcare

We at CyberRes have a large gamut of tools and technologies in our product portfolio that could be tailored to ensure conformance to industry best practices and compliance to all the focus areas and relevant technical controls of global standards and compliances to secure healthcare applications and industry at large. Each of our Fortify product brings in application security at each phase of a typical SDLC that can be customized according to the industry type. They are:

  • Static Code Analyzer (SCA): which analyzes source code for security vulnerabilities and provides for SAST, i.e., static application security testing.
  • WebInspect: which is known to provide dynamic application security testing (DAST) and analyzes applications in their running state and simulates most modern-day attacks against a healthcare application to find vulnerabilities. It also Includes an IAST agent which sits on the web server and keeps analyzing vulnerabilities in the applications automatically.
  • Software Security Center: is a holistic application security management platform included with on-premises solutions to get complete visibility of application security risks in one place.
  • Fortify Software Composition Analysis: which is for scanning open-source components, third party libraries and dependencies in source code for vulnerabilities with Sonatype and Debricked.
  • Fortify on Demand (FoD): which is Application Security-as-a-Service, and includes SAST, DAST, MAST (Mobile Application Security Testing) and open-source composition analysis with Debricked.
  • Fortify Hosted: is a software-as-a-service based offering of Fortify portfolio where we come in to picture to deploy Fortify solution to both cloud and region of your choice. This is there to meet stringent compliance requirement of data localization or having to have the infrastructure and its associated components limited to a specific region and cloud.

Fortifying Healthcare Compliance

Fortify meets the technical security controls of various standards and compliances, both global and specific to healthcare industry.

Why is it important to comply with a particular standard?

  • Healthcare standards not only avoid hefty fines but also prepares against any adversaries.
  • Another benefit is attaining maturity of security posture, at a more consistent and measurable rate. 
  • It also helps in gaining attestation from globally recognized standards and bodies and provides additional credibility for healthcare organizations. 
  • These healthcare standards and global frameworks avoid the manual intensive task of designing a cybersecurity roadmap from scratch. 
  • Complying with the framework requirements helps healthcare organizations assess their security posture and identify areas of compliance and non-compliance earlier in the stage. 

Let us now look at one of the standards, NIST SP 800-53 Rev5, aka, National Institute of Standards and Technology Special Publication 800-53 Revision 5 and how does Fortify perfectly maps to all the healthcare specific application security requirements and technical controls of it.

NIST 800-53 originally developed security controls that were only applicable to federal and government agencies. The latest (Revision 5), has a much broader focus that also applies to non-government entities, including the healthcare sector along with the integration of privacy controls into security for applications, systems, and organizations.

Fortify complies with all the applicable technical security control families and their base controls laid down by NIST, which includes:

Control Family

Control Identifier

Control (or Control Enhancement) Name

CF 1: Access Control


Account Management


Access Enforcement


Information Flow Enforcement


Least Privilege


Unsuccessful Logon Attempts


System Use Notification


Concurrent Session Control


Permitted Actions Without Identification or Authentication


Security and Privacy Attributes


Information Sharing


Data Mining Protection

CF-2: Awareness and Training


Literacy Training and Awareness


Role-based Training


Training Records


Training Feedback

CF-3: Audit and Accountability


Event Logging


Content of Audit Records


Audit Log Storage Capacity


Time Stamps


Protection of Audit Information




Audit Record Retention


Audit Record Generation


Monitoring for Information Disclosure

CF-4: Assessment, Authorization, and Monitoring


Penetration Testing


Internal System Connections

CF-5: Configuration Management


Baseline Configuration


Configuration Change Control


Impact Analyses


Configuration Settings


Information Location

CF-12: Planning


Privacy Impact Assessment


Concept of Operations


Security and Privacy Architectures


Central Management


Baseline Selection


Baseline Tailoring

CF-13: Program Management


Plan of Action and Milestones Process


Measures of Performance


Enterprise Architecture


Risk Management Strategy


Security and Privacy Workforce


Testing, Training, and Monitoring


Security and Privacy Groups and Associations


Threat Awareness Program


Minimization of Personally Identifiable Information Used in Testing, Training, and Research


Continuous Monitoring Strategy



CF-15: Personally Identifiable Information Processing and Transparency


Authority to Process Personally Identifiable Information


Personally Identifiable Information Processing Purposes

CF-16: Risk Assessment


Security Categorization


Risk Assessment


Vulnerability Monitoring and Scanning


Risk Response


Privacy Impact Assessments


Criticality Analysis


Threat Hunting

CF-17: System and Services Acquisition


System Development Life Cycle


Acquisition Process


System Documentation


Security and Privacy Engineering Principles


Developer Configuration Management


Developer Testing and Evaluation


Supply Chain Protection


Criticality Analysis


Development Process, Standards, and Tools


Developer-provided Training


Developer Security and Privacy Architecture and Design

CF-18: System and Communications Protection


Session Authenticity

CF-19: System and Information Integrity


Flaw Remediation


Malicious Code Protection


System Monitoring


Software, Firmware, and Information Integrity


Information Input Validation


Error Handling


Information Output Filtering

CF-20: Supply Chain Risk Management


Supply Chain Risk Management Plan


Supplier Assessments and Reviews


Supply Chain Operations Security


Component Authenticity

We take seriously our responsibility to provide effective solutions for the healthcare industry. Accordingly, we have the following certifications to ensure our customers trust that their information is secure and stays confidential.

More About Fortify

CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on-premises, SaaS and as-a-service.

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. Check out our Fortify Unplugged YouTube channel that highlights demos, use cases and thought leadership around AppSec. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Application security