Why Application Security Needs More Attention in HealthcareCISO Sandy Dunn on How to Better Prevent Avoidable Incidents
Healthcare entities and other organizations frequently skimp on application security, which is a critical area, and this often results in data breaches, security incidents and other poor outcomes, says former health insurer CISO Sandy Dunn, who is now CISO and CIO of incident response services vendor BreachQuest.
"Good application security practices are absolutely the number one, most effective and important thing that any organization, including healthcare, can do. Build security in from the very beginning. Make sure you assign project managers and developers to do the security tasks," she says.
"Every CISO has a story about some project that is underbudgeted and under-resourced, and the first thing they want to do is bypass all the security," she says in an interview with Information Security Media Group.
As a result, many of the data breaches and other security incidents that occur in healthcare are linked to IT misconfigurations and related errors, Dunn says.
"It's about people doing too much, too fast, without the right checks and balances. So let's build security into the process through automation," she says.
"The top things that would help every organization are putting in software composition analysis tools, doing automation around testing and having good testing environments."
In the interview (see audio link below photo), Dunn also discusses:
- Why many healthcare sector organizations are still focused mostly on a compliance mindset for security, despite rising threats;
- The importance of cybersecurity information sharing among healthcare sector organizations;
- Tips for healthcare sector entities to improve their security best practices.
Dunn previously was the CISO at Blue Cross of Idaho, where she established and maintained the enterprisewide strategy of security for the company. She has over 20 years of experience in cybersecurity and has worked with NASA, the Secret Service, the IRS and other federal agencies.