A quarter (25%) of healthcare apps contain high severity flaws, but healthcare organizations (HCOs) are relatively quick to fix them, according to new data from Veracode.
The security vendor broke out sector-specific data collected for its State of Software Security report and claimed that three-quarters (75%) of healthcare applications contained some kind of vulnerability.
This is about on par with the cross-sector average, which stands at 76%.
The sector fixes 70% of the flaws it finds, which puts it behind several other verticals in terms of total volume addressed. However, those it does tackle are fixed faster than any other industry on average except for retail.
Veracode claimed that this is because apps in healthcare are often smaller in size, relatively new and have a lower density of bugs than software in verticals like tech, financial services, manufacturing and government.
HCOs do a better job than most at handling CRLF injection and cryptography-related bugs, which are both important to helping protect personally identifiable information (PII).
However, the sector is still not scanning apps for issues regularly enough and is the least likely of any vertical to scan for flaws in open source components. These are a major source of cyber risk: a Sonatype study last year found that a fifth (21%) of reported breaches over the previous 12 months were linked to the use of these third-party components.
Veracode argued that a failure to scan frequently for flaws means many are going unfixed and could therefore be exploited in future attacks.
This is bad news considering data breaches in healthcare cost more than any other sector. They are estimated at over $7.1 million per incident, according to IBM.
“Hospitals and healthcare systems are considered soft targets by cyber-criminals because they often don’t have the budget or personnel to protect from attacks,” said Chris Wysopal, co-founder and chief technology officer at Veracode.
“The threat is obviously greater due to the lifesaving work in this industry. Healthcare companies need to double down on securing their code.”