- A collection of strategies for reducing software vulnerabilities could potentially affect healthcare organizations that are looking to improve their health data security measures.
National Institute of Standards and Technology (NIST) computer scientists recently released Dramatically Reducing Software Vulnerabilities, which was created due to a request from the White House’s Office of Science and Technology Policy. However, one of the report’s coauthors, Paul E. Black explained that any organization can use the information to create high-quality, low-defect computer code.
“We want coders to know about it,” Black said in a statement. “We concentrated on including novel ideas that they may not have heard about already.”
The document contains input and ideas from NIST computer scientists, software assurance experts from many private companies in the computer industry, and government agencies such as the Department of Defense and NASA.
“Vulnerabilities are common in software,” NIST explained in a release. “Even small applications have hundreds of bugs(link is external) by some estimates. Lowering these numbers would bring many advantages, such as reducing the number of computer crashes and reboots users need to deal with, not to mention decreasing the number of patch updates they need to download.”
The NIST guide focuses on the following five sets of approaches, tools and concepts:
- Using math-based tools to verify code will work properly
- Breaking up a computer’s programs into modular parts so the whole program doesn’t crash if one part fails
- Connecting analysis tools for code that currently operate in isolation
- Using appropriate programming languages for the task that the code attempts to carry out
- Developing evolving and changing tactics for protecting code targeted in cyberattacks
The report’s authors maintain that the five areas are not a comprehensive list, and instead “represent a wide range of potential approaches and highlight how reducing software vulnerabilities can be accomplished.”
“All of these approaches will require improved research infrastructure, including significantly better metrics,” the authors wrote. “As noted, they cannot be successful by themselves and will need to be integrated into the larger software developer and user communities.”
It will also be beneficial for customers to request that these techniques be used in the development of a product or service, according to Black.
“You as a consumer should be able to write it into a contract that you want a vendor to develop software in accordance with these principles, so that it’s as secure as it can be,” Black stated.
This is an approach that is being more frequently recommended for health data security as well. When covered entities create business associate agreements, it is essential that they are as specific as possible, including when medical devices are involved.
As ICIT Co-founder and Senior Fellow James Scott told HealthITSecurity.com earlier this year, security cannot simply be tacked on later in a device’s life cycle. Instead, security should be implemented from the onset and medical devices should not be “Frankensteined” into an enterprise’s infrastructure.
The 2016 Cybersecurity National Action Plan called for a dramatic reduction in software vulnerabilities, the report’s authors stated in their conclusion. Not only is it critical to stop vulnerabilities before they occur, but there must also be improved methods for specifying and building software.
Furthermore, there must be better testing techniques and more efficient use of multiple testing methods when it comes to finding vulnerabilities.
The impact of vulnerabilities must also be reduced by building more resilient architectures. This can also prevent vulnerabilities from being meaningfully exploited.
“Security tends to bubble to the surface because we’ve got adversaries who want to exploit weaknesses,” Black explained. “But we’d still want to avoid bugs even without this threat. The effort to stymie them brings up general principles.”