Cybercriminals Are Attacking Healthcare (But We Can Fight Back)
A version of this article ran in Cyber Defense Magazine. It has been updated for syndication here.
Cyberattacks have become a way of life these days. People almost expect to hear news about some new vulnerability or breach that affects everything from banking to aviation, or devices as diverse as smartphones and traffic lights. Even our homes are no longer completely safe. Entire cities and towns are being attacked by criminals almost daily with attackers demanding millions in ransom to restore compromised critical services.
But one place where we could hopefully still feel safe was at the doctor's office or even in a hospital. People are at their most vulnerable when reaching out to a healthcare provider. Human decency would almost demand that the local clinicians be allowed to do their noble jobs in peace. Unfortunately, that is not happening. There seems to be little honor " or perhaps sheer desperation " among today's cyber-thieves. In fact, healthcare could be the next "great" cybersecurity battleground, with criminals attacking the very machines that diagnose medical problems, provide treatments and sustain life. With a sustained global health crisis unfolding before our eyes, this is something that is critical to address from multiple points.
Threats are getting more personal than ever before.
Attacks against the healthcare industry are not new. Cybercriminals already know the value that patient information, personal data, and financial records have in the underworld and on the dark web. That information can be used to steal money directly from patients, or as a launching point for secondary attacks such as phishing and other scams. It's no wonder then that many of the most devastating attacks lately have been aimed at healthcare. Anthem Healthcare had 80 million patient records stolen. Premera lost 11 million personal files. CareFirst's total was 1.1 million compromised records, and the list goes on and on.
As of right now, attacks made directly against medical devices seem rare. However, at least one report suggests that the problem might be much more widespread, with hospitals not reporting the intrusions, or employees untrained in cybersecurity simply not recognizing that an attack is taking place right in front of them. The ability to compromise medical devices in frightening ways, such as using malware to add fake tumors to CAT scans and MRI results, has been conclusively demonstrated by security researchers. It's not very much of a leap to think that attackers may already be doing the same or similar things to medical devices in the real world.
Healthcare is also uniquely vulnerable to cyberattacks thanks to its increasing reliance on devices within the Internet of Things (IoT), tiny sensors that are connected to the internet and which produce incredible volumes of information. For the most part, securing the information produced by those sensors, the channels they use to communicate, and even the sensors themselves, has been little more than an afterthought. The number of potential vulnerabilities that an attacker could exploit hiding within those IoT-dominated networks is likely almost limitless.
IoT in healthcare poses serious risks.
Services critical to patient care " which in some cases weren't even imagined 20 years ago " are breeding grounds for both IoT-based and other more traditional vulnerabilities. Electronic medical records, telemedicine, and mobile health were all seemingly waiting for the boost of information that IoT could provide. It's no wonder that the commitment to IoT in the healthcare sector is staggering. MarketResearch.com predicts that by next year, the IoT market in the healthcare sector will reach $117 billion, and continue expanding at a rate of 15% every year after that.
In that environment, skilled attackers can find plenty of vulnerabilities that can be used to exploit medical devices. IoT sensors embedded inside medical devices generally communicate and produce their data in one of two ways. Some gather data and then transmit all of their findings directly to the internet for analysis. Others use a form of distributed networking known as fog computing where the sensors themselves form a sort of mini-network, collectively deciding what data to share with a central repository or platform. That data can then be further processed or directly accessed by healthcare workers.
Further complicating cybersecurity matters within healthcare is the fact that the industry has never embraced. nor agreed upon, data handling standards, methods or protections. Historically the healthcare industry has been served by manufacturers that offered their own proprietary technologies for medical devices. Today this includes the embedded IoT sensors, the communication channels the devices use and the platform for analyzing the data after it's collected. This makes most hospital networks a hacker's dream, or at least a fine proving ground where they can exploit everything from security misconfigurations to insufficient transport layer protection. They can try anything from cross-site request forgeries to the classic XML injection attacks.
The counter-punch we need is right in front of us.
Despite the potentially catastrophic consequences of these vulnerabilities being exploited, there is something to remain optimistic about: these security bugs are not new, powerful back doors opened by criminal masterminds. They're so common that it is frustrating to keep seeing them, time and time again. Part of the reason they rear their ugly head is through the use of legacy systems that have gone unpatched despite fixes being available, but the other is once again related to the human factor. Developers are writing code at a cracking pace, and they're concentrating on a slick, functional final product... not security best practice.
There is simply too much software being built for AppSec specialists to be able to keep up, and we can't expect them to constantly save the day with these recurrent vulnerabilities. It is cheaper, more efficient and clearly much safer if these vulnerabilities are not introduced in the first place, and that means security teams and developers must go the extra mile to create a robust, end-to-end security culture.
What does a great security culture look like, exactly? Here are a few key elements:
- Developers are equipped with the tools and training they need to squash common bugs (and understand why it's so important to do so)
- Training is comprehensive, easily digested and plays to developer strengths
- The outcomes of the training are properly measured, with metrics and reporting (not just a tick-the-box and move on exercise)
- AppSec and developers start speaking the same language: after all, in a positive security culture, they're working to achieve similar goals.
The possibility for disaster is still enormous, and goes well beyond just having a patient's medical records stolen. Injecting fake tumors into a scan could devastate a person anxiously waiting to hear if they have cancer. And changing out medicines or altering treatment plans could actually kill them. But, it only takes one cybercriminal willing to cross that line for profit, and you can guarantee that it will happen. Perhaps the next ransomware scam won't encrypt a hospital's data, but instead, ruin the diagnoses for thousands of patients. Or perhaps an attacker will threaten to alter medicines unless they get paid, literally holding lives for ransom.
It's clear that we can no longer follow the "business as usual" approach when it comes to cybersecurity in healthcare. We can't rely on one or two specialists at healthcare organizations to fix every problem. Instead, we need security-aware developers working on healthcare apps and devices to recognize potential problems and fix them before they are deployed at facilities. And even healthcare workers could use basic cybersecurity training.
It's true that nothing is more important than your health. Within the healthcare industry, maintaining good cybersecurity fitness for the future will depend on facilitating better overall security awareness today. Without serious treatment, this is an issue that is only going to get worse.
Healthcare could be the next 'great' cybersecurity battleground, with criminals attacking the very machines that diagnose medical problems, provide treatments and sustain life.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article ran in Cyber Defense Magazine. It has been updated for syndication here.
Cyberattacks have become a way of life these days. People almost expect to hear news about some new vulnerability or breach that affects everything from banking to aviation, or devices as diverse as smartphones and traffic lights. Even our homes are no longer completely safe. Entire cities and towns are being attacked by criminals almost daily with attackers demanding millions in ransom to restore compromised critical services.
But one place where we could hopefully still feel safe was at the doctor's office or even in a hospital. People are at their most vulnerable when reaching out to a healthcare provider. Human decency would almost demand that the local clinicians be allowed to do their noble jobs in peace. Unfortunately, that is not happening. There seems to be little honor " or perhaps sheer desperation " among today's cyber-thieves. In fact, healthcare could be the next "great" cybersecurity battleground, with criminals attacking the very machines that diagnose medical problems, provide treatments and sustain life. With a sustained global health crisis unfolding before our eyes, this is something that is critical to address from multiple points.
Threats are getting more personal than ever before.
Attacks against the healthcare industry are not new. Cybercriminals already know the value that patient information, personal data, and financial records have in the underworld and on the dark web. That information can be used to steal money directly from patients, or as a launching point for secondary attacks such as phishing and other scams. It's no wonder then that many of the most devastating attacks lately have been aimed at healthcare. Anthem Healthcare had 80 million patient records stolen. Premera lost 11 million personal files. CareFirst's total was 1.1 million compromised records, and the list goes on and on.
As of right now, attacks made directly against medical devices seem rare. However, at least one report suggests that the problem might be much more widespread, with hospitals not reporting the intrusions, or employees untrained in cybersecurity simply not recognizing that an attack is taking place right in front of them. The ability to compromise medical devices in frightening ways, such as using malware to add fake tumors to CAT scans and MRI results, has been conclusively demonstrated by security researchers. It's not very much of a leap to think that attackers may already be doing the same or similar things to medical devices in the real world.
Healthcare is also uniquely vulnerable to cyberattacks thanks to its increasing reliance on devices within the Internet of Things (IoT), tiny sensors that are connected to the internet and which produce incredible volumes of information. For the most part, securing the information produced by those sensors, the channels they use to communicate, and even the sensors themselves, has been little more than an afterthought. The number of potential vulnerabilities that an attacker could exploit hiding within those IoT-dominated networks is likely almost limitless.
IoT in healthcare poses serious risks.
Services critical to patient care " which in some cases weren't even imagined 20 years ago " are breeding grounds for both IoT-based and other more traditional vulnerabilities. Electronic medical records, telemedicine, and mobile health were all seemingly waiting for the boost of information that IoT could provide. It's no wonder that the commitment to IoT in the healthcare sector is staggering. MarketResearch.com predicts that by next year, the IoT market in the healthcare sector will reach $117 billion, and continue expanding at a rate of 15% every year after that.
In that environment, skilled attackers can find plenty of vulnerabilities that can be used to exploit medical devices. IoT sensors embedded inside medical devices generally communicate and produce their data in one of two ways. Some gather data and then transmit all of their findings directly to the internet for analysis. Others use a form of distributed networking known as fog computing where the sensors themselves form a sort of mini-network, collectively deciding what data to share with a central repository or platform. That data can then be further processed or directly accessed by healthcare workers.
Further complicating cybersecurity matters within healthcare is the fact that the industry has never embraced. nor agreed upon, data handling standards, methods or protections. Historically the healthcare industry has been served by manufacturers that offered their own proprietary technologies for medical devices. Today this includes the embedded IoT sensors, the communication channels the devices use and the platform for analyzing the data after it's collected. This makes most hospital networks a hacker's dream, or at least a fine proving ground where they can exploit everything from security misconfigurations to insufficient transport layer protection. They can try anything from cross-site request forgeries to the classic XML injection attacks.
The counter-punch we need is right in front of us.
Despite the potentially catastrophic consequences of these vulnerabilities being exploited, there is something to remain optimistic about: these security bugs are not new, powerful back doors opened by criminal masterminds. They're so common that it is frustrating to keep seeing them, time and time again. Part of the reason they rear their ugly head is through the use of legacy systems that have gone unpatched despite fixes being available, but the other is once again related to the human factor. Developers are writing code at a cracking pace, and they're concentrating on a slick, functional final product... not security best practice.
There is simply too much software being built for AppSec specialists to be able to keep up, and we can't expect them to constantly save the day with these recurrent vulnerabilities. It is cheaper, more efficient and clearly much safer if these vulnerabilities are not introduced in the first place, and that means security teams and developers must go the extra mile to create a robust, end-to-end security culture.
What does a great security culture look like, exactly? Here are a few key elements:
- Developers are equipped with the tools and training they need to squash common bugs (and understand why it's so important to do so)
- Training is comprehensive, easily digested and plays to developer strengths
- The outcomes of the training are properly measured, with metrics and reporting (not just a tick-the-box and move on exercise)
- AppSec and developers start speaking the same language: after all, in a positive security culture, they're working to achieve similar goals.
The possibility for disaster is still enormous, and goes well beyond just having a patient's medical records stolen. Injecting fake tumors into a scan could devastate a person anxiously waiting to hear if they have cancer. And changing out medicines or altering treatment plans could actually kill them. But, it only takes one cybercriminal willing to cross that line for profit, and you can guarantee that it will happen. Perhaps the next ransomware scam won't encrypt a hospital's data, but instead, ruin the diagnoses for thousands of patients. Or perhaps an attacker will threaten to alter medicines unless they get paid, literally holding lives for ransom.
It's clear that we can no longer follow the "business as usual" approach when it comes to cybersecurity in healthcare. We can't rely on one or two specialists at healthcare organizations to fix every problem. Instead, we need security-aware developers working on healthcare apps and devices to recognize potential problems and fix them before they are deployed at facilities. And even healthcare workers could use basic cybersecurity training.
It's true that nothing is more important than your health. Within the healthcare industry, maintaining good cybersecurity fitness for the future will depend on facilitating better overall security awareness today. Without serious treatment, this is an issue that is only going to get worse.
A version of this article ran in Cyber Defense Magazine. It has been updated for syndication here.
Cyberattacks have become a way of life these days. People almost expect to hear news about some new vulnerability or breach that affects everything from banking to aviation, or devices as diverse as smartphones and traffic lights. Even our homes are no longer completely safe. Entire cities and towns are being attacked by criminals almost daily with attackers demanding millions in ransom to restore compromised critical services.
But one place where we could hopefully still feel safe was at the doctor's office or even in a hospital. People are at their most vulnerable when reaching out to a healthcare provider. Human decency would almost demand that the local clinicians be allowed to do their noble jobs in peace. Unfortunately, that is not happening. There seems to be little honor " or perhaps sheer desperation " among today's cyber-thieves. In fact, healthcare could be the next "great" cybersecurity battleground, with criminals attacking the very machines that diagnose medical problems, provide treatments and sustain life. With a sustained global health crisis unfolding before our eyes, this is something that is critical to address from multiple points.
Threats are getting more personal than ever before.
Attacks against the healthcare industry are not new. Cybercriminals already know the value that patient information, personal data, and financial records have in the underworld and on the dark web. That information can be used to steal money directly from patients, or as a launching point for secondary attacks such as phishing and other scams. It's no wonder then that many of the most devastating attacks lately have been aimed at healthcare. Anthem Healthcare had 80 million patient records stolen. Premera lost 11 million personal files. CareFirst's total was 1.1 million compromised records, and the list goes on and on.
As of right now, attacks made directly against medical devices seem rare. However, at least one report suggests that the problem might be much more widespread, with hospitals not reporting the intrusions, or employees untrained in cybersecurity simply not recognizing that an attack is taking place right in front of them. The ability to compromise medical devices in frightening ways, such as using malware to add fake tumors to CAT scans and MRI results, has been conclusively demonstrated by security researchers. It's not very much of a leap to think that attackers may already be doing the same or similar things to medical devices in the real world.
Healthcare is also uniquely vulnerable to cyberattacks thanks to its increasing reliance on devices within the Internet of Things (IoT), tiny sensors that are connected to the internet and which produce incredible volumes of information. For the most part, securing the information produced by those sensors, the channels they use to communicate, and even the sensors themselves, has been little more than an afterthought. The number of potential vulnerabilities that an attacker could exploit hiding within those IoT-dominated networks is likely almost limitless.
IoT in healthcare poses serious risks.
Services critical to patient care " which in some cases weren't even imagined 20 years ago " are breeding grounds for both IoT-based and other more traditional vulnerabilities. Electronic medical records, telemedicine, and mobile health were all seemingly waiting for the boost of information that IoT could provide. It's no wonder that the commitment to IoT in the healthcare sector is staggering. MarketResearch.com predicts that by next year, the IoT market in the healthcare sector will reach $117 billion, and continue expanding at a rate of 15% every year after that.
In that environment, skilled attackers can find plenty of vulnerabilities that can be used to exploit medical devices. IoT sensors embedded inside medical devices generally communicate and produce their data in one of two ways. Some gather data and then transmit all of their findings directly to the internet for analysis. Others use a form of distributed networking known as fog computing where the sensors themselves form a sort of mini-network, collectively deciding what data to share with a central repository or platform. That data can then be further processed or directly accessed by healthcare workers.
Further complicating cybersecurity matters within healthcare is the fact that the industry has never embraced. nor agreed upon, data handling standards, methods or protections. Historically the healthcare industry has been served by manufacturers that offered their own proprietary technologies for medical devices. Today this includes the embedded IoT sensors, the communication channels the devices use and the platform for analyzing the data after it's collected. This makes most hospital networks a hacker's dream, or at least a fine proving ground where they can exploit everything from security misconfigurations to insufficient transport layer protection. They can try anything from cross-site request forgeries to the classic XML injection attacks.
The counter-punch we need is right in front of us.
Despite the potentially catastrophic consequences of these vulnerabilities being exploited, there is something to remain optimistic about: these security bugs are not new, powerful back doors opened by criminal masterminds. They're so common that it is frustrating to keep seeing them, time and time again. Part of the reason they rear their ugly head is through the use of legacy systems that have gone unpatched despite fixes being available, but the other is once again related to the human factor. Developers are writing code at a cracking pace, and they're concentrating on a slick, functional final product... not security best practice.
There is simply too much software being built for AppSec specialists to be able to keep up, and we can't expect them to constantly save the day with these recurrent vulnerabilities. It is cheaper, more efficient and clearly much safer if these vulnerabilities are not introduced in the first place, and that means security teams and developers must go the extra mile to create a robust, end-to-end security culture.
What does a great security culture look like, exactly? Here are a few key elements:
- Developers are equipped with the tools and training they need to squash common bugs (and understand why it's so important to do so)
- Training is comprehensive, easily digested and plays to developer strengths
- The outcomes of the training are properly measured, with metrics and reporting (not just a tick-the-box and move on exercise)
- AppSec and developers start speaking the same language: after all, in a positive security culture, they're working to achieve similar goals.
The possibility for disaster is still enormous, and goes well beyond just having a patient's medical records stolen. Injecting fake tumors into a scan could devastate a person anxiously waiting to hear if they have cancer. And changing out medicines or altering treatment plans could actually kill them. But, it only takes one cybercriminal willing to cross that line for profit, and you can guarantee that it will happen. Perhaps the next ransomware scam won't encrypt a hospital's data, but instead, ruin the diagnoses for thousands of patients. Or perhaps an attacker will threaten to alter medicines unless they get paid, literally holding lives for ransom.
It's clear that we can no longer follow the "business as usual" approach when it comes to cybersecurity in healthcare. We can't rely on one or two specialists at healthcare organizations to fix every problem. Instead, we need security-aware developers working on healthcare apps and devices to recognize potential problems and fix them before they are deployed at facilities. And even healthcare workers could use basic cybersecurity training.
It's true that nothing is more important than your health. Within the healthcare industry, maintaining good cybersecurity fitness for the future will depend on facilitating better overall security awareness today. Without serious treatment, this is an issue that is only going to get worse.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article ran in Cyber Defense Magazine. It has been updated for syndication here.
Cyberattacks have become a way of life these days. People almost expect to hear news about some new vulnerability or breach that affects everything from banking to aviation, or devices as diverse as smartphones and traffic lights. Even our homes are no longer completely safe. Entire cities and towns are being attacked by criminals almost daily with attackers demanding millions in ransom to restore compromised critical services.
But one place where we could hopefully still feel safe was at the doctor's office or even in a hospital. People are at their most vulnerable when reaching out to a healthcare provider. Human decency would almost demand that the local clinicians be allowed to do their noble jobs in peace. Unfortunately, that is not happening. There seems to be little honor " or perhaps sheer desperation " among today's cyber-thieves. In fact, healthcare could be the next "great" cybersecurity battleground, with criminals attacking the very machines that diagnose medical problems, provide treatments and sustain life. With a sustained global health crisis unfolding before our eyes, this is something that is critical to address from multiple points.
Threats are getting more personal than ever before.
Attacks against the healthcare industry are not new. Cybercriminals already know the value that patient information, personal data, and financial records have in the underworld and on the dark web. That information can be used to steal money directly from patients, or as a launching point for secondary attacks such as phishing and other scams. It's no wonder then that many of the most devastating attacks lately have been aimed at healthcare. Anthem Healthcare had 80 million patient records stolen. Premera lost 11 million personal files. CareFirst's total was 1.1 million compromised records, and the list goes on and on.
As of right now, attacks made directly against medical devices seem rare. However, at least one report suggests that the problem might be much more widespread, with hospitals not reporting the intrusions, or employees untrained in cybersecurity simply not recognizing that an attack is taking place right in front of them. The ability to compromise medical devices in frightening ways, such as using malware to add fake tumors to CAT scans and MRI results, has been conclusively demonstrated by security researchers. It's not very much of a leap to think that attackers may already be doing the same or similar things to medical devices in the real world.
Healthcare is also uniquely vulnerable to cyberattacks thanks to its increasing reliance on devices within the Internet of Things (IoT), tiny sensors that are connected to the internet and which produce incredible volumes of information. For the most part, securing the information produced by those sensors, the channels they use to communicate, and even the sensors themselves, has been little more than an afterthought. The number of potential vulnerabilities that an attacker could exploit hiding within those IoT-dominated networks is likely almost limitless.
IoT in healthcare poses serious risks.
Services critical to patient care " which in some cases weren't even imagined 20 years ago " are breeding grounds for both IoT-based and other more traditional vulnerabilities. Electronic medical records, telemedicine, and mobile health were all seemingly waiting for the boost of information that IoT could provide. It's no wonder that the commitment to IoT in the healthcare sector is staggering. MarketResearch.com predicts that by next year, the IoT market in the healthcare sector will reach $117 billion, and continue expanding at a rate of 15% every year after that.
In that environment, skilled attackers can find plenty of vulnerabilities that can be used to exploit medical devices. IoT sensors embedded inside medical devices generally communicate and produce their data in one of two ways. Some gather data and then transmit all of their findings directly to the internet for analysis. Others use a form of distributed networking known as fog computing where the sensors themselves form a sort of mini-network, collectively deciding what data to share with a central repository or platform. That data can then be further processed or directly accessed by healthcare workers.
Further complicating cybersecurity matters within healthcare is the fact that the industry has never embraced. nor agreed upon, data handling standards, methods or protections. Historically the healthcare industry has been served by manufacturers that offered their own proprietary technologies for medical devices. Today this includes the embedded IoT sensors, the communication channels the devices use and the platform for analyzing the data after it's collected. This makes most hospital networks a hacker's dream, or at least a fine proving ground where they can exploit everything from security misconfigurations to insufficient transport layer protection. They can try anything from cross-site request forgeries to the classic XML injection attacks.
The counter-punch we need is right in front of us.
Despite the potentially catastrophic consequences of these vulnerabilities being exploited, there is something to remain optimistic about: these security bugs are not new, powerful back doors opened by criminal masterminds. They're so common that it is frustrating to keep seeing them, time and time again. Part of the reason they rear their ugly head is through the use of legacy systems that have gone unpatched despite fixes being available, but the other is once again related to the human factor. Developers are writing code at a cracking pace, and they're concentrating on a slick, functional final product... not security best practice.
There is simply too much software being built for AppSec specialists to be able to keep up, and we can't expect them to constantly save the day with these recurrent vulnerabilities. It is cheaper, more efficient and clearly much safer if these vulnerabilities are not introduced in the first place, and that means security teams and developers must go the extra mile to create a robust, end-to-end security culture.
What does a great security culture look like, exactly? Here are a few key elements:
- Developers are equipped with the tools and training they need to squash common bugs (and understand why it's so important to do so)
- Training is comprehensive, easily digested and plays to developer strengths
- The outcomes of the training are properly measured, with metrics and reporting (not just a tick-the-box and move on exercise)
- AppSec and developers start speaking the same language: after all, in a positive security culture, they're working to achieve similar goals.
The possibility for disaster is still enormous, and goes well beyond just having a patient's medical records stolen. Injecting fake tumors into a scan could devastate a person anxiously waiting to hear if they have cancer. And changing out medicines or altering treatment plans could actually kill them. But, it only takes one cybercriminal willing to cross that line for profit, and you can guarantee that it will happen. Perhaps the next ransomware scam won't encrypt a hospital's data, but instead, ruin the diagnoses for thousands of patients. Or perhaps an attacker will threaten to alter medicines unless they get paid, literally holding lives for ransom.
It's clear that we can no longer follow the "business as usual" approach when it comes to cybersecurity in healthcare. We can't rely on one or two specialists at healthcare organizations to fix every problem. Instead, we need security-aware developers working on healthcare apps and devices to recognize potential problems and fix them before they are deployed at facilities. And even healthcare workers could use basic cybersecurity training.
It's true that nothing is more important than your health. Within the healthcare industry, maintaining good cybersecurity fitness for the future will depend on facilitating better overall security awareness today. Without serious treatment, this is an issue that is only going to get worse.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.