BSIMM Study: Healthcare Lags Other Industries in Software Security

September 28, 2021 - Healthcare trails behind the financial services and insurance sectors in implementing software security initiatives, even though it is a highly regulated industry, according to the 2021 Building Security In Maturity Model (BSIMM) study led by the Synopsys Software Integrity Group.

A comparison of the three industries showed that the financial services sector is ahead of others in terms of prioritizing compliance and software security.

“In our decade-long experience with the BSIMM, we’ve seen large financial services firms reacting to regulatory pressures by starting software security initiatives much earlier than insurance and healthcare firms,” the study explained.

“Despite the similarity of compliance and regulatory drivers across these three verticals, healthcare vertical high-water marks are generally trailing insurance and financial, possibly due to the need to prioritize patient care ahead of compliance activities.”

BSIMM was formed in 2008 with the goal of gathering data and trends on how companies from all sectors manage the challenges of software security and providing a baseline for software security initiatives. The 2021 study analyzed data from 128 participating organizations across a variety of industries, including healthcare, IoT, FinTech, and financial services.

The study identified major trends and activities that organizations have taken in 2021 to ensure software security. Results revealed that over 90 percent of BISMM participants integrated risk-based controls into their software portfolios in order to fix issues earlier in the software development life cycle.

Across all sectors, over 90 percent of participants also prioritized ensuring that host and network security basics are in place across their networks. Meanwhile, 89 percent outlined their requirements and standards surrounding personally identifiable information (PII), and 43 percent of participants built a comprehensive PII inventory, signifying that PII protection is a top priority for organizations across all sectors.

Over 85 percent of participants reported performing a security feature review as part of their organization’s architecture analysis process, and 87 percent of participants used external penetration testers to demonstrate security issues.

The prevalence of open source software components and the rise in cyberattacks led to a 61 percent increase in software security groups’ identification of open source over the past two years, the study stated.

Businesses are also shifting toward more sophisticated risk management metrics and putting more effort into collecting and publishing their software security initiative data.

“Increased executive attention, likely combined with engineering-driven efforts, has also resulted in organizations developing their own capabilities for managing cloud security and evaluating their shared responsibility models,” the study explained. “There was an average of 36 new observations over the past two years across activities typically related to cloud security.”

Based on the findings, the study recommended that organizations in the process of creating a software security initiative should consider moving toward automating security decisions, creating a comprehensive software inventory, and using security testing telemetry to gather data.

New technologies, increased cyberattacks, and an uptick in cloud adoption and open source software usage continue to contribute to shifting priorities for software security teams across all industries.