More than half of healthcare applications currently open to attack

The Application Security Division of NTT Ltd. released AppSec Stats Flash Volume 10, the latest installment of the company’s monthly report and podcast reflecting on the current state of application security and the wider cyber threat landscape. NTT Application Security’s monthly analysis includes data from more than 400 million lines of code in applications spanning all industry sectors to provide comprehensive insight into the digital risks facing organizations today.

In AppSec Stats Flash Volume 10, NTT Application Security researchers take a closer look at the improving cybersecurity posture of applications in the healthcare industry, more than half of which currently contain a critical vulnerability.

Key findings of the analysis include:

52% of the applications in the healthcare industry have at least one serious vulnerability — rating ‘high’ or ‘critical’ on the Common Vulnerability Scoring System scale — open throughout the year
18% of critical vulnerabilities found in applications are fixed within one month of discovery, while 39% were remediated within the examined timeframe.
Healthcare has performed 14% better than the industry average on remediating critical risks in the past three months, a positive trend for healthcare, historically performing below average based on a rolling 12-month analysis.

“Healthcare is one of the most regulated industries in the U.S., and data breaches can quickly lead to lawsuits, revenue loss, and brand damage,” said Zach Jones, senior director of detection research. “To rise to the challenge posed by the critical need for accelerated digital transformation, healthcare organizations have had to reconfigure traditional procedures and protocols that have been in place for decades. We are glad to see an industry that is responsible for our most critical personal data is improving their application best practices.”

The most serious vulnerability healthcare organizations encountered in recent months was an abuse of functionality, which refers to an attack technique that uses a website’s own features against it after gaining access to an organization’s network through password-recovery flows. However, a far more common vulnerability in healthcare organizations’ applications is information leakage — a weakness where an attacker uses sensitive data to exploit their target, its hosting network or users.

According to NTT’s 2021 Global Threat Intelligence Report, 67% of global attacks in 2020 can be attributed to application-specific or web-application attacks. This is a dramatic increase from 2018, in which application vulnerabilities accounted for 32% of the share. Jones adds, “the healthcare industry should focus on improving the remediation rate for critical vulnerabilities found in web applications in order to reduce its overall breach exposure. The longer these threats go unresolved, the more likely they are going to be exploited by nefarious actors.”

For more information about NTT’s Application Security Division, please visit whitehatsec.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.