How to measure software security in the healthcare industry

Posted by Synopsys Editorial Team on Thursday, May 11, 2017

In 2015, healthcare became the most attacked industry, replacing financial services. Since 2010, there have been at least eight healthcare industry breaches publically reported in the media. The 2016 Cyber Security Intelligence Index states that five of the eight breaches took place during the first half of 2015. During that period, over 100 million medical records were reportedly compromised.

Misalignment between HIPAA and software security

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. However, the compliance date of HIPAA’s Privacy Rule and Security Rule didn’t take effect until 2003. These rules were created as a way to implement and enforce industry-wide security safeguards on protected health information (PHI).

The Security Rule focuses on technical defenses around access controls and technology protecting electronic PHI. The requirements state the expectations, but not how to meet them. Thus, the rule’s guidelines can leave health organizations with the burden of implementing effective controls without enough guidance. Organizations may not have the current capability to determine what they are accomplishing from a software security perspective. This is where the Building Security In Maturity Model (BSIMM) becomes a valuable asset.

The BSIMM acts as a measuring stick, assessing security activities performed by an organization. The model also sheds light onto the wider software security community—quantifying practices of many different industry verticals. The BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription. Instead, it is a reflection of the current state of software security. BSIMM measurements can help to plan, structure, and execute the evolution of an organization’s software security initiative (SSI). Over time, firms participating in the study show measurable improvement in their security stance.