CMU Hospital implements software development lifecycle with Lucent Sky AVM

December 06, 2023

Information security means patient safety. In moving towards intelligent healthcare, China Medical University Hospital believes that it is necessary to implement software lifecycle management in order to protect the privacy of patients and the security of the medical system. Therefore, it chose Lucent Sky AVM, the vulnerability remediation tool distributed by Zero One Technology, to implement source code analysis from the software development stage to enhance code quality and reduce the likelihood of being exploited.

Many of the security incidents that continue to occur around the world are caused by developers using development tools or packages that contain vulnerabilities. Nowadays, in addition to continuing strengthening their overall cybersecurity, enterprises also realize the importance of introducing application security testing and vulnerability remediation early in the software development lifecycle. For example, China Medical University Hospital, one of the four major medical centers in central Taiwan, recently chose Lucent Sky AVM to improve code security and quality with the help of system integrator Wingwill International.

Dr. Junlian Chen, Vice President of Information Technology of China Medical University Hospital, pointed out that in the process of developing smart hospitals, the medical information system will inevitably move from the traditional mainframes to open systems. “We must take the initiative to improve the security and quality of software development in order to achieve the goal of strengthening the overall security of the information systems and to protect the patients’ medical privacy effectively. With the introduction of Lucent Sky AVM, the development teams can conduct code analysis at all stages of the software development lifecycle. This lays a secure and stable foundation for the development of smart healthcare,” said Chen.

Cybersecurity threats surge as healthcare systems move toward open systems

With the core values of “patient-oriented, staff-oriented, and hospital-proud”, China Medical University Hospital has obtained the highest level of accreditation from HIMSS EMRAM, INFRAM, and AMAM, and has been recognized by the Davies Award of Excellence. It is moving forward with the goals of developing into a first-class international medical center and a high-tech biomedical science park. In response to the global trend of medical and technological development, the hospital is developing smart healthcare with big data and cloud platform, medical AI, and medical BI, and has been making every effort to develop smart healthcare that protects the well-beings of the general public.

In developing smart healthcare, the China Medical University Hospital plans to develop a patient reporting system that will allow patients to actively report their physical condition when they finish treatment and go home to recuperate, which will serve as a reference for their follow-up appointments. In particular, with the rapid development of smart Internet of Things (IoT) technology, the physiological devices that many patients wear with them will be able to automatically upload pulse and heartbeat data through this system in the future, so that doctors can accurately grasp the physiological status of patients. Considering the surging security threats these new medical systems will face, the hospital has decided to introduce a source code analysis tool and conduct its own security testing during the software development stage to minimize potential vulnerabilities in the medical information systems.

“In the past, on the premise of enhancing overall security protection, we commissioned an external security company to conduct annual vulnerability scans of public-facing systems such as the public website and the appointment system, and manually remediated the vulnerabilities found.” said Chen. “However, in the process of moving towards a smart hospital, the once-a-year vulnerability analysis and remediation mechanism is obviously insufficient. Only through introducing a source code analysis solution can reduce the vulnerabilities and loopholes of the application system from the source. After evaluating many solutions on the market, we chose Lucent Sky AVM.”

Automatic vulnerability remediation reduces developer workload

Among the commercial solutions capable of performing static application security testing (SAST), China Medical University Hospital chose Lucent Sky AVM not only because its developer-centric interfaces are easy to use, but also because its ability to generate Instant Fixes that can automatically remediate vulnerabilities. For developers with heavy workloads, it not only greatly reduces the learning curve of using such a tool, but also allows them to understand the weaknesses and risks of existing software projects, and to quickly fix vulnerabilities in these projects using Instant Fixes and remediation guidance in the reports.

Lucent Sky AVM can scan for unknown and known vulnerabilities in source code, binary files, and third-party libraries. It is certified to be CWE-Compatible and supports security and industry standards such as CVE, CVSS, OWASP ASVS, OWASP Top 10, HIPAA, and PCI-DSS. After scanning an application, Lucent Sky AVM generates a report with Instant Fixes for source code vulnerabilities and remediation guidance for vulnerable dependencies, enabling developers to apply the fixes immediately and reducing the mean-time-to-remediate (MTTR).

The introduction of Lucent Sky AVM in their SDLC has been greatly beneficial for China Medical University Hospital. For example, compared to the extended schedule of remediation when working with an external security firm and traditional SAST tools, Lucent Sky AVM greatly accelerates the process of remediating vulnerabilities. In addition, comprehensive reports allow developers to learn how vulnerabilities are introduced and how to avoid them in the future, significantly improves code security and quality.

“In addition to the introduction of Lucent Sky AVM, we have also implemented dependency management and related operating procedures, requiring development teams to synchronize the dependencies in their applications to reduce potential security and operation issues in the future,” said Chen. “Through these multi-pronged approach to software development lifecycle, we will be the strongest foundation to China Medical University Hospital’s goal of smart healthcare.”

This story originally appeared on iThome and has been translated from its original language.