News Feature | November 9, 2015

Healthcare In Last Place According To Security Maturity Model

By Megan Williams, contributing writer

Healthcare In Last Place According To Security Maturity Model

The most recent set of data from BSIMM shows serious weaknesses in the healthcare sector.

“It’s more like a science experiment that escaped the test tube.” That’s how healthcare security is characterized by CTO of Citigal, Gary McGraw.

Fortify Software, along with Citigal, were responsible for launching the Building Security In Maturity Model (BSIMM), which recently released its sixth version. Their framework measures observable software security practices across specific core areas (12 in total) through a series of interviews with organizations’ software security heads. After this, most recent version, they have “a significant set of trending data” that can be used by organizations to evaluate their own programs, as well as compare to those at other organizations, according to Threat Post.

BSIMM now evaluates data on 104 organizations including Adobe, Cisco, Bank of America, and JP Morgan. For the first time, ten healthcare and consumer electronic organizations were represented including Aetna, Zephyr Health, and McKesson.

The industry is lagging behind other organizations in all four domains that BSIMM evaluates: intelligence, governance, deployment, and SSDL touchpoints. Each of those domains sits above three practice areas with 112 activities in all.

“Healthcare is falling short in all 12 practices we report on; in all 12 it’s behind the average. That is an opportunity and senior executives in the healthcare space know it’s an opportunity. We are not criticizing, but pointing out the state of how their world is instead. It’s time to start fixing it.”

The Healthcare Problem

McGraw points to federal initiatives as a root cause of healthcare’s poor ranking. “When you have a measurement that is objective and scientific, and can take that to senior executives and say ‘Here is our space compared to the rest of the world,’ we’re not seeing them get mad. They say they must fix it, make investments and work hard to solve the problem ... I’ve spoken to many board members and senior health care executives directly and I think in the beginning, the entire space was misled by HIPAA. When HIPAA came out, it got them to start thinking about patient privacy and protecting patient data and when they did that, they thought they were done.”

The Silver Lining

McGraw though, sees hope in the form of executives from other, more successful sectors moving into healthcare. These executives already understand the complex nature of security and are ready to go beyond base level compliance.