The Security Scrutinizer with Howard Anderson

Security Risks in Software Development

Survey: Using Real Data Poses Real Risks
Security Risks in Software Development

A new survey offers a reminder that using real patient information when developing or testing software creates security risks that must be addressed.

Some 78 percent of U.S. healthcare organizations use real patient data when working on software development, while 65 percent use real data when testing applications, a recent survey of 462 IT staff at healthcare organizations shows.

Thirty-eight percent of those that use real data in development and testing say that such data had been lost or stolen at their organization. And that represents a serious threat to health information privacy.

About half of survey respondents report their organization does not protect real data used in software development and testing. Only 13 percent mask sensitive or confidential data elements, while 46 percent take steps to control access to the data files and databases involved.

In addition, 49 percent report that their organization uses less stringent safeguards when protecting sensitive or confidential data used for software development and testing than they do in the "production" environment. Considering how common the loss or theft of such data apparently is, security safeguards clearly merit closer attention.

The Ponemon Institute conducted the survey for Informatica.

The study also finds that 34 percent of respondents always or frequently outsource the development and testing of applications, and in about half of those cases, they share real data with the outsourcer.

Only 29 percent use a cloud computing infrastructure or platform for software development and testing. Of those, 46 percent said they are not confident that data housed in the cloud environment is safe and secure.

Keeping Health Information Secure

In its report on the survey results, the Ponemon Institute offers some important reminders on how to keep patient information safe in compliance with HIPAA, including:

  • Assign a single person to be responsible for safeguarding real data used in application testing and development;
  • Create policies and procedures for the protection of the real data used;
  • Educate employees about the importance of protecting this test data;
  • Use encryption,data loss prevention, access management and other information security technologies;
  • Consider using de-identified, masked or dummy data rather than live data in the test and development process.

That last point appears to be the most important tip to keep in mind, given this survey's results.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.