Software Vulnerabilities and HIPAA Non-Compliance

by | Oct 24, 2016 | Blog

Share This Story, Choose Your Platform

The motivation behind building HIPAA compliance into Code Dx v 2.3
By Anita D’Amico

Federal regulations regarding patient medical records are stringent, and non-compliance can carry a hefty price tag—not to mention the long-term effects of lost customer faith. While a few decades ago this might have meant locking up your file cabinets, today this means securing your digital databases against potential threats. Software vulnerabilities may leave your patients’ data open to intrusions (which is bad for everyone) and may make your business non-compliant with HIPAA (which is bad for you).

If you work in healthcare, you’re already familiar with the Health Insurance Portability and Accountability Act (HIPAA), which mandates that healthcare institutions (doctors, private practices, hospitals, and insurance companies) protect the privacy and integrity of their patients’ and customers’ medical records and personal information. Most IT managers within these institutions comply with the HIPAA standards and regulations by focusing on network security. This is what firewalls, server encryption, and anti-virus programs are for—they enforce access protocols to the databases, and detect (and often remove) threats as they’re encountered.

These methods are sensible, practical, and, unfortunately, inadequate in many cases. That is because network security is not the same as application security. Software does not exist in a vacuum; eventually, it will be accessible to users. Once that happens, it becomes vulnerable in ways that you may not expect.  For instance, a login screen is an invitation to someone looking to access the information embedded in your application. SQL injections may be possible right from that login screen, and a savvy attacker may be able to access your entire patient database—including all of your patients’ medical records—without ever needing to breach your network.

This is why identifying and resolving vulnerabilities prior to launch is so critical, especially for the healthcare sector. Compliance strictly with HIPAA standards (and avoiding further security measures) may not make your software metaphorically airtight, but non-compliance results in software that is irresponsibly insecure. The only way to ensure compliance with HIPAA standards is by testing your software against those standards—something that can be extremely time-consuming.

Code Dx has decided to change that with version 2.3.

Since our inception in 2015, Code Dx has endeavored to make it easy and affordable to find, prioritize, and resolve software vulnerabilities across a wide range of programming languages. We realized that some of the largest healthcare providers in the country had already turned to Code Dx to help identify weaknesses within their software. To provide a better product that meets their specific needs, we decided to offer a new capability within Code Dx version 2.3: it will now check your software for HIPAA non-compliance.

With Code Dx version 2.3, your application’s vulnerabilities will be compared against HIPAA regulations. You’re now able to turn on specific HIPAA filters that will find specific lines of code that may represent a violation (and leave you vulnerable to non-compliance). This is, of course, an additional service on top of our previous comparison to other industry standards (such as OWASP Top 10 and SANS 25). This latest update to Code Dx provides even more of the most valuable commodity for software testing and security teams: information. By introducing HIPAA standards to Code Dx, these professionals now have a powerful tool to help reduce their company’s vulnerability to non-compliance—and the potential financial risk that brings.

Share This Story, Choose Your Platform