A freedom of information (FoI) request revealed the unsecure practices of many NHS trusts around securing networks and systems from cyber attacks. Nearly 45% of those that responded to the request (27 out of 36) admitted that they scan for app vulnerabilities only once a year.
OWASP policy compliance failed
This finding reflects what was uncovered by Veracode in its recent State of Software Security 2016
report: the healthcare industry has the lowest vulnerability fix rate, with 67% of healthcare applications failing OWASP
policy compliance. (The Open Web Application Security Project focuses on improving the security of software by providing impartial and practical information about web apps to third parties to help them make informed decisions).
How often should web applications be scanned?
There is no common rule but, generally speaking, web applications should be scanned every quarter or any time new security patches are applied, as well as any time new web applications are added to the infrastructure.
The cost of a penetration test is much lower than that of a data breach
Many healthcare organisations argue that they don’t have the budget or resources to regularly scan
Read more https://www.itgovernance.co.uk/blog/nhs-trusts-fail-to-regularly-scan-for-app-vulnerabilities/