9 minute read time

What are Solutions for AppSec Challenges in the Healthcare Industry?

by Micro Focus Employee in CyberRes

In part one of my blog series, “Application Security Challenges in the Healthcare Industry,” I looked at common application security issues in healthcare, including outdated and complex systems or components with known vulnerabilities and the lack of a managed application security testing program. 

What are Solutions for AppSec Challenges in the Healthcare IndustryNow let us look at some of the solutions to counter these challenges and how Fortify helps in securing the healthcare applications along with achieving the applicable regulatory compliances in healthcare. 

Best Practices for Security Assurance for Healthcare Applications

These are some of the prioritized best practices that CyberRes advocates for application security assurance at healthcare industry, which includes, but not limited to:

  1. Encryption: Healthcare data in applications/APIs must be encrypted during TRANSIT, at REST and during PROCESSING. The encryption of data at rest should include strong encryption methods such as AES or RSA, while data in transit should use the latest version of TLS.
  2. DevSecOps: Focus in the healthcare industry must be to amalgamate security by shifting left as early and as far as possible in the SDLC. This is where Fortify comes with its gamut of products to provide out of box integration with all the most commonly used DevOps frameworks, tools and SDKs, both on-premise and on cloud.
  3. Session Management: Implement water-tight security controls for sessions management across the healthcare application. With the goal of implementing secure session IDs to avoid disclosure or compromise of PII/ PHI data, the session identifiers (IDs or tokens) must adhere to these best practices, which includes but not limited to:
  • Avoid Session ID Name Fingerprinting, Use Long Session ID Length, Use Session ID Entropy (random), Use Unpredictable Session ID Content (or Value), Usage of Cookies (define advanced token properties, such as the token expiration date and time, or granular usage constraints), Use Built-in Session Management Implementations in web development frameworks, Use Transport Layer Security, Use Secure cookie attribute, Use HttpOnly cookie attribute, Use SameSite Cookie attribute to mitigate the risk of cross-origin information leakage, Use Domain cookie attribute, Use Path cookie attribute, etc.
  1. RBAC and MFA: Implement role-based access control along with multi-factor authentication (Biometric, OTP, T-OTP, etc.) across the healthcare application.
  2. Regular Remediation: Ensure to have a well-defined and managed vulnerability management process for healthcare applications along with associated sub-processes of prioritization and remediation. Define severity of vulnerabilities and proper SLAs for their remediation.
  3. Software Security Assurance: Ensure to conduct regular SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing) and SCA (Software Composition Analysis) scans of code, apps, s/w, APIs, open-source components used in interconnected healthcare applications and IOT devices.
  4. Healthcare Compliances: There are compliances and standards which are widely being followed by healthcare industries to ensure security of their healthcare data and applications. All these provides critical application security controls which are fulfilled by Fortify and help healthcare applications and organizations, to become secure and compliant. Some of these specific and global compliances are as follows:

·       NIST

·       COBIT

·       HIPAA

·       ISO 27001

·       CCPA

·       HITRUST

·       GDPR

·       Quality System Regulation (QSR) for medical devices

·       CIS

·       PCI and Local Compliances

Note: At the end of this blog, we have discussed the approach that we follow to help our customers and partners comply to global and specific healthcare compliances and standards using Fortify.

Fortifying Healthcare Applications

We at CyberRes are exorbitantly focused in fortifying healthcare applications and are working incessantly to come up with most practical ways of achieving security assurance. Our focus areas are:

  • To have a continuous visibility of healthcare’s digital footprint (known and unknown) and maintaining an up-to-date inventory so that their security could be effectively managed.
  • To have a sustainable eco-system of integrated tools and technologies to continuously secure software supply chain by continuously assessing the security of the acquired applications or web services before integrating them with backbone network.
  • Shift Left SAST & DAST as much as possible and as quickly as possible to ensure that security meets the pace of devops in healthcare apps and does not go unnoticed in any phase of SDLC.
  • To have an enhanced governance of the CI/CD pipeline by automating the continuous integration and deployment of applications and implementing security and quality gates in the pipeline.
  • To secure API endpoints, open-source composition analysis and third-party integrations.
  • To fortify legacy healthcare apps by implementing proper security controls and validating them with proper legacy-sensitive scan profiles using Fortify’s Web Inspect.
  • Ensure compliance to various healthcare technical standards and compliance. 

Fortify For Healthcare

We at CyberRes have a large gamut of tools and technologies in our product portfolio that could be tailored to ensure conformance to industry best practices and compliance to all the focus areas and relevant technical controls of global standards and compliances to secure healthcare applications and industry at large. Each of our Fortify product brings in application security at each phase of a typical SDLC that can be customized according to the industry type. They are:

  • Static Code Analyzer (SCA): which analyzes source code for security vulnerabilities and provides for SAST, i.e., static application security testing.
  • WebInspect: which is known to provide dynamic application security testing (DAST) and analyzes applications in their running state and simulates most modern-day attacks against a healthcare application to find vulnerabilities. It also Includes an IAST agent which sits on the web server and keeps analyzing vulnerabilities in the applications automatically.
  • Software Security Center: is a holistic application security management platform included with on-premises solutions to get complete visibility of application security risks in one place.
  • Fortify Software Composition Analysis: which is for scanning open-source components, third party libraries and dependencies in source code for vulnerabilities with Sonatype and Debricked.
  • Fortify on Demand (FoD): which is Application Security-as-a-Service, and includes SAST, DAST, MAST (Mobile Application Security Testing) and open-source composition analysis with Debricked.
  • Fortify Hosted: is a software-as-a-service based offering of Fortify portfolio where we come in to picture to deploy Fortify solution to both cloud and region of your choice. This is there to meet stringent compliance requirement of data localization or having to have the infrastructure and its associated components limited to a specific region and cloud.

Fortifying Healthcare Compliance

Fortify meets the technical security controls of various standards and compliances, both global and specific to healthcare industry.

Why is it important to comply with a particular standard?

  • Healthcare standards not only avoid hefty fines but also prepares against any adversaries.
  • Another benefit is attaining maturity of security posture, at a more consistent and measurable rate. 
  • It also helps in gaining attestation from globally recognized standards and bodies and provides additional credibility for healthcare organizations. 
  • These healthcare standards and global frameworks avoid the manual intensive task of designing a cybersecurity roadmap from scratch. 
  • Complying with the framework requirements helps healthcare organizations assess their security posture and identify areas of compliance and non-compliance earlier in the stage. 

Let us now look at one of the standards, NIST SP 800-53 Rev5, aka, National Institute of Standards and Technology Special Publication 800-53 Revision 5 and how does Fortify perfectly maps to all the healthcare specific application security requirements and technical controls of it.

NIST 800-53 originally developed security controls that were only applicable to federal and government agencies. The latest (Revision 5), has a much broader focus that also applies to non-government entities, including the healthcare sector along with the integration of privacy controls into security for applications, systems, and organizations.

Fortify complies with all the applicable technical security control families and their base controls laid down by NIST, which includes:

Control Family

Control Identifier

Control (or Control Enhancement) Name

CF 1: Access Control

AC-2

Account Management

AC-3

Access Enforcement

AC-4

Information Flow Enforcement

AC-6

Least Privilege

AC-7

Unsuccessful Logon Attempts

AC-8

System Use Notification

AC-10

Concurrent Session Control

AC-14

Permitted Actions Without Identification or Authentication

AC-16

Security and Privacy Attributes

AC-21

Information Sharing

AC-23

Data Mining Protection

CF-2: Awareness and Training

AT-2

Literacy Training and Awareness

AT-3

Role-based Training

AT-4

Training Records

AT-6

Training Feedback

CF-3: Audit and Accountability

AU-2

Event Logging

AU-3

Content of Audit Records

AU-4

Audit Log Storage Capacity

AU-8

Time Stamps

AU-9

Protection of Audit Information

AU-10

Non-repudiation

AU-11

Audit Record Retention

AU-12

Audit Record Generation

AU-13

Monitoring for Information Disclosure

CF-4: Assessment, Authorization, and Monitoring

CA-8

Penetration Testing

CA-9

Internal System Connections

CF-5: Configuration Management

CM-2

Baseline Configuration

CM-3

Configuration Change Control

CM-4

Impact Analyses

CM-6

Configuration Settings

CM-12

Information Location

CF-12: Planning

PL-5

Privacy Impact Assessment

PL-7

Concept of Operations

PL-8

Security and Privacy Architectures

PL-9

Central Management

PL-10

Baseline Selection

PL-11

Baseline Tailoring

CF-13: Program Management

PM-4

Plan of Action and Milestones Process

PM-6

Measures of Performance

PM-7

Enterprise Architecture

PM-9

Risk Management Strategy

PM-13

Security and Privacy Workforce

PM-14

Testing, Training, and Monitoring

PM-15

Security and Privacy Groups and Associations

PM-16

Threat Awareness Program

PM-25

Minimization of Personally Identifiable Information Used in Testing, Training, and Research

PM-31

Continuous Monitoring Strategy

PM-32

Purposing

CF-15: Personally Identifiable Information Processing and Transparency

PT-2

Authority to Process Personally Identifiable Information

PT-3

Personally Identifiable Information Processing Purposes

CF-16: Risk Assessment

RA-2

Security Categorization

RA-3

Risk Assessment

RA-5

Vulnerability Monitoring and Scanning

RA-7

Risk Response

RA-8

Privacy Impact Assessments

RA-9

Criticality Analysis

RA-10

Threat Hunting

CF-17: System and Services Acquisition

SA-3

System Development Life Cycle

SA-4

Acquisition Process

SA-5

System Documentation

SA-8

Security and Privacy Engineering Principles

SA-10

Developer Configuration Management

SA-11

Developer Testing and Evaluation

SA-12

Supply Chain Protection

SA-14

Criticality Analysis

SA-15

Development Process, Standards, and Tools

SA-16

Developer-provided Training

SA-17

Developer Security and Privacy Architecture and Design

CF-18: System and Communications Protection

SC-23

Session Authenticity

CF-19: System and Information Integrity

SI-2

Flaw Remediation

SI-3

Malicious Code Protection

SI-4

System Monitoring

SI-7

Software, Firmware, and Information Integrity

SI-10

Information Input Validation

SI-11

Error Handling

SI-15

Information Output Filtering

CF-20: Supply Chain Risk Management

SR-2

Supply Chain Risk Management Plan

SR-6

Supplier Assessments and Reviews

SR-7

Supply Chain Operations Security

SR-11

Component Authenticity

We take seriously our responsibility to provide effective solutions for the healthcare industry. Accordingly, we have the following certifications to ensure our customers trust that their information is secure and stays confidential.

More About Fortify

CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on-premises, SaaS and as-a-service.

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. Check out our Fortify Unplugged YouTube channel that highlights demos, use cases and thought leadership around AppSec. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Application security