Nearly half (45 percent) of NHS trusts scan for application vulnerabilities just once a year. Less than eight percent do so on a daily basis.
New findings were gathered following a Freedom of Information (FoI) request submitted to 36 NHS trusts, with 27 responding. The findings coincide with the recent State of Software Security report from Veracode.
The research presented metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed in the last 18 months in which 67 percent of healthcare applications failed OWASP policy compliance.
Half of health trusts only scan web perimeter apps once a year, which leaves patient data at risk of cyber-attacks via legacy websites and third-party plugins.
The NHS was one of the worst performing sectors in terms of the number of data breaches reported to the ICO last year. NHS contributed to 64 percent of the total figure in the April 2015-March 2016 period.
Based on first-time application scans, these percentages detail the prevalence of high profile vulnerabilities within the global healthcare industry: Cross-site (45.4 percent); SQL Injection (28.4 percent); Cryptographic credentials (72.9 percent); and Scripting issues management (47.7 percent).
Twelve percent of trusts scan web application perimeters on a daily basis, demonstrating a growing awareness of the role application security plays to safeguard sensitive patient data.
“Our new research certainly raises fresh concerns regarding safety of patient information here in the UK, as well as across the globe. There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers,” said Paul Farrington, manager, EMEA solution architects, Veracode.
“The Information Commissioner's Office has the authority to fine trusts up to £500,000 for data breaches, so there's even more of a reason for trusts to ensure they've placed an emphasis on their cyber hygiene. With hospitals correctly demanding rigorous sterilisation of surgical instruments and cleanliness from staff to fight the risk of infections spreading, the same should be considered when assessing their digital cleanliness to defend against the growing, and changing, threat of cyber-attackers.”