Secure Software Development: Error Sends UK’s NHS ‘Once More into the Breach’

by

All too often in today’s efforts to develop and deploy quickly, secure software development practices can be overlooked – either accidentally or by necessity – leaving overly complex systems vulnerable to cyber-attack or breach.

And if anyone would know about a breach, it should be the countrymen of the Bard of Avon, William Shakespeare. In one of the most famous lines in English literature, Shakespeare opens Act 3, Scene 1 of Henry V, by depicting the late British king exhorting his troops onward by calling out to them, “Once more into the breach, dear friends, once more…”

King Henry knew exploiting a vulnerable breach point was an appealing path toward capturing something of value.

In spite of this centuries old lesson about the vulnerability of breaches, the United Kingdom’s National Health Service (NHS) suffered yet another breach of healthcare data recently, this time affecting 150,000 patients. This comes on the heels of last year’s double whammy of the WannaCry Ransomware attack, which cancelled 6,900 patient appointments, and another breach in which patients at over one-third of Britain’s General Practitioner (GP) healthcare practices had their information exposed to hundreds-of-thousands of potential unauthorized viewers.

According to NHS Digital – the agency that oversees IT systems for NHS UK – the breach was the direct result of non-secure software in the SystmOne Electronic Health Records (EHR) application provided by third-party vendor, TPP, which is used by a large number of GP offices in the UK.

In a statement, Nic Fox, NHS Digital’s Director of Primary and Social Care Technology, explained that “We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data.”

Dr. John Parry, Clinical Director at TPP, added, “The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information.”

Merely adding “improvements” to their system may not be enough, though, if they continue to turn out bad code.

Based upon research, the chances are good that there are more errors in the code that are affecting the application health factors – including security – of TPP’s systems. According to the 2017 CRASH Report compiled by CAST, the average application today has over a half-million lines of code. It also found that most applications have three or more bad lines of code per 1,000, which means the average application may contain roughly 1,500 bad lines of code. With that many lines and that much possible bad code, a manual analysis is out of the question.

Only through automated code review will TPP be able to ferret out any additional bad lines of code and prevent future errors that lead to more breaches of its clients’ data systems, including those at the NHS. From the standpoint of NHS Digital, Software Intelligence will also allow it to gain transparency into the application development conducted by TPP and its other vendors. While the most recent situation may not have been a “life or death” issue, failure to act and apply Software Intelligence could result in one in the future. 

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|