All too often in today’s efforts to develop and deploy quickly, secure software development practices can be overlooked – either accidentally or by necessity – leaving overly complex systems vulnerable to cyber-attack or breach.
And if anyone would know about a breach, it should be the countrymen of the Bard of Avon, William Shakespeare. In one of the most famous lines in English literature, Shakespeare opens Act 3, Scene 1 of Henry V, by depicting the late British king exhorting his troops onward by calling out to them, “Once more into the breach, dear friends, once more…”
King Henry knew exploiting a vulnerable breach point was an appealing path toward capturing something of value.
In spite of this centuries old lesson about the vulnerability of breaches, the United Kingdom’s National Health Service (NHS) suffered yet another breach of healthcare data recently, this time affecting 150,000 patients. This comes on the heels of last year’s double whammy of the WannaCry Ransomware attack, which cancelled 6,900 patient appointments, and another breach in which patients at over one-third of Britain’s General Practitioner (GP) healthcare practices had their information exposed to hundreds-of-thousands of potential unauthorized viewers.
According to NHS Digital – the agency that oversees IT systems for NHS UK – the breach was the direct result of non-secure software in the SystmOne Electronic Health Records (EHR) application provided by third-party vendor, TPP, which is used by a large number of GP offices in the UK.
In a statement, Nic Fox, NHS Digital’s Director of Primary and Social Care Technology, explained that “We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data.”
Dr. John Parry, Clinical Director at TPP, added, “The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information.”
Merely adding “improvements” to their system may not be enough, though, if they continue to turn out bad code.
Based upon research, the chances are good that there are more errors in the code that are affecting the application health factors – including security – of TPP’s systems. According to the 2017 CRASH Report compiled by CAST, the average application today has over a half-million lines of code. It also found that most applications have three or more bad lines of code per 1,000, which means the average application may contain roughly 1,500 bad lines of code. With that many lines and that much possible bad code, a manual analysis is out of the question.
Only through automated code review will TPP be able to ferret out any additional bad lines of code and prevent future errors that lead to more breaches of its clients’ data systems, including those at the NHS. From the standpoint of NHS Digital, Software Intelligence will also allow it to gain transparency into the application development conducted by TPP and its other vendors. While the most recent situation may not have been a “life or death” issue, failure to act and apply Software Intelligence could result in one in the future.