June 26, 2019updated 28 Jun 2019 11:05am

Two years on from WannaCry, healthcare sector is “fastest industry” in fixing security flaws

By Ellen Daniel

Two years ago this May, dozens of NHS hospitals and trusts were the target of the infamous cybersecurity incident WannaCry, which saw thousands of computers from organisations around the world infected with ransomware demanding Bitcoin payments.

The incident reportedly cost the NHS £92m and disrupted at least 34% of trusts in England, resulting in the cancellation of 6,912 appointments and operations.

In a report by the National Audit Office, the NHS was criticised for its cybersecurity practices, with outdated IT systems, and a lack of preparedness indicating that the organisation “need to get their act together”.

However, according to software company Veracode, the healthcare industry is in fact faster at identifying and resolving software security risks than other industries.

The NHS is a significant target for cybercriminals, with poor cybersecurity practices leaving sensitive patient data at risk of falling into the wrong hands, and could even have life-threatening consequences if medical devices are hacked. However, when compared to other industries such as finance, government and education, and retail, the healthcare sector is the fastest industry when it comes to addressing common vulnerabilities.

Some 64% of current applications used by healthcare organisations are at risk of information leakage attacks, with cryptographic issues and code quality were identified as the top vulnerabilities facing healthcare organisations.

However, Veracode’s State of Software Security (SOSS) found that healthcare organisations took six days to address a quarter of their vulnerabilities in code and seven months to readdress the majority of vulnerabilities found in software. According to Veracode, this is almost eight months faster than the average organisation, which takes 15 months to fix 75% of its vulnerabilities.

The healthcare industry got high marks in the company’s SOSS metrics, with the sector ranking first for the latest scan OWASP (Open Web Application Security Project) pass rate, indicating that when it comes to fixing application flaws, the industry is “statistically closing the window on application risk faster than any other sector”.

The NHS recently announced that it is undertaking an IT overhaul to use cloud-based, modern systems and improve security, and Paul Farrington, EMEA Chief Technology Officer at Veracode said that the healthcare industry has shown “remarkable resilience”:

“Healthcare organisations are remediating at the most rapid rate at every interval compared to their peers. It takes just a little over seven months for healthcare organisations to reach the final quartile of open vulnerabilities, about eight months sooner than it takes the average organisation to reach the same landmark. It shows remarkable resilience for an industry which was heavily targeted and badly damaged during the WannaCry ransomware attack two years ago. However, millions of cyber-attacks are aimed at the healthcare sector each day, seeking any weak spot. Using code that is secure from the start can help healthcare reduce security risk further.”



Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,