A freedom of information (FoI) request revealed the unsecure practices of many NHS trusts around securing networks and systems from cyber attacks. Nearly 45% of those that responded to the request (27 out of 36) admitted that they scan for app vulnerabilities only once a year.
OWASP policy compliance failed
This finding reflects what was uncovered by Veracode in its recent State of Software Security 2016 report: the healthcare industry has the lowest vulnerability fix rate, with 67% of healthcare applications failing OWASP policy compliance. (The Open Web Application Security Project focuses on improving the security of software by providing impartial and practical information about web apps to third parties to help them make informed decisions).
How often should web applications be scanned?
There is no common rule but, generally speaking, web applications should be scanned every quarter or any time new security patches are applied, as well as any time new web applications are added to the infrastructure.
The cost of a penetration test is much lower than that of a data breach
Many healthcare organisations argue that they don’t have the budget or resources to regularly scan their infrastructure and systems. But have they fully considered the impact of a data breach caused by vulnerable applications? Other than business disruption, loss of revenue and fines of up to £500,000 from the ICO, a data breach damages the reputation and image of the organisation itself, not to mention the loss of customers (or patients) and negative publicity. In the long term, a data breach costs far more than a security scan.
If budget is a concern, then IT Governance has what you are looking for. Our penetration testing packages provide complete solutions for routine security testing of your websites and IT systems at fixed prices.
Take a look at the cost-effective Web Application Penetration Test package >>