The healthcare industry incurs the highest average data breach costs of $10.93 million, an increase of 53.3% over the past three years. In fact, as of March 2024, there have been 116 healthcare data breaches reported to the HHS Office of Civil Rights that impacted over 13 million individuals. Healthcare organizations are prime targets for threat actors and face complicated and increasing cyber threats.
Healthcare consists of complex networks and contains highly prized Personally Identifiable Information (PII) that is sold and traded in the underground economy. Healthcare networks contain Internet, Intranet, IoT, SCADA, and other nodes that dramatically increase the attack surface, giving more opportunities for cybercriminals to try and exploit. Budgets are stretched, and staff members may not always have the time to complete cybersecurity training, leaving them even more vulnerable to social engineering tactics and attacks like ransomware and phishing emails.
As healthcare organizations deal with greater productivity and efficiency, organizations rely on cloud applications such as Salesforce to better serve their customers. Salesforce enables healthcare organizations access to patient data, health conditions, medication, appointments, and integration with Electronic Health Records (EHR). Salesforce also provides individualized communication and custom applications that better serve the provider’s subscribers. This requires code development that is tailored to meet the needs of the subscriber and provider’s needs.
Many organizations either develop in-house applications for internal use or use ISV offerings to extend Salesforce functionality. Several healthcare organizations leverage Salesforce Health Cloud to help with compliance. However, application development can create liabilities that are counterproductive to the healthcare enhancements it delivers. Salesforce application development can be a challenging environment for cybersecurity and development teams to identify and remediate vulnerabilities. These vulnerabilities can expose the entire organization, especially the healthcare industry which has proven to be a prime target for ransomware attacks. These ransomware attacks often compromise valuable medical IoT devices by capturing login credentials.
User profiles, permission settings, and roles can be misconfigured resulting in serious vulnerabilities. Adhering to best practices and proper cybersecurity hygiene must occur at every stage of development. Developers are constantly challenged to release applications quickly; however, they should embrace code security and work with their cybersecurity team to alleviate the additional burden of ensuring applications do not contain vulnerabilities that can compromise the business and their clients. The entire development pipeline must be secured.
Like most cloud service providers (CSPs), Salesforce uses the shared responsibility model for security. Although some security features cover platform specific functions, it does not include custom code, compliance requirements, and many other critical threat vectors derived from customization. The burden of this responsibility weighs on the subscriber. Ensuring vulnerabilities are identified and remediated throughout the Software Development Lifecycle is imperative.
DigitSec develops a comprehensive Salesforce code and config security scanning platform that is easy to use, delivers immediate value and provides a positive business impact. DigitSec is an ideal solution for cybersecurity teams and developers to find security vulnerabilities, recommend corrective action before deployment, and enable faster delivery of secure applications. DigitSec is SOC 2 Type 2 compliant, following internal best practices of security controls, policies, and procedures.
To find out how healthcare organizations can find, correct, and mitigate risk in their Salesforce application development, visit us at www.digitsec.com or email us at sales@digitsec.com.
