Healthcare software is uniquely sensitive. Applications that process, store, or transmit electronic protected health information carry regulatory obligations under HIPAA and equivalent regulations in other jurisdictions. A single vulnerability — an insecure direct object reference in a patient portal, an SQL injection flaw in a laboratory results system, an authentication bypass in a telehealth platform — can expose thousands of patient records and trigger regulatory investigation, civil litigation, and reputational consequences.
Secure code review is the systematic examination of application source code to identify security vulnerabilities before they are deployed to production. It is distinct from functional testing and penetration testing — it operates at the source code level, finding issues that runtime testing may not surface. For healthcare software, it is an essential quality gate.
Why Healthcare Software Needs Code Review
The nature of healthcare data creates risk that extends beyond the typical software security concern. A vulnerability that exposes financial data can be costly; a vulnerability that exposes HIV status, mental health records, or reproductive health information can directly harm the individuals whose data is compromised. Some healthcare data is subject to additional protection requirements beyond standard ePHI, including substance abuse treatment records under 42 CFR Part 2.
Healthcare applications also frequently integrate with critical clinical systems — the EHR, laboratory systems, pharmacy dispensing platforms — where vulnerabilities could affect not just data confidentiality but clinical workflow integrity. An injection flaw that allows modification of medication orders is a patient safety issue, not merely a data security issue.
Finally, healthcare software development often involves teams that may not have deep security training. Internal application development teams at health systems, third-party vendors building EHR integrations, and startups developing digital health tools all produce code that touches ePHI and requires security scrutiny.
What a Code Review Covers
OWASP Top 10
The OWASP Top 10 is the foundational reference for web application security vulnerabilities. A code review should systematically examine the application for each category:
Injection — SQL injection, OS command injection, LDAP injection, and similar flaws that allow attackers to pass untrusted data to interpreters. In healthcare applications, injection flaws can expose entire patient databases.
Broken authentication — Weak session management, insecure credential storage, missing account lockout, and inadequate session expiry. Healthcare applications often have complex authentication requirements involving multiple user types and roles.
Sensitive data exposure — Unencrypted storage or transmission of ePHI, weak cryptographic algorithms, and insecure handling of keys and credentials.
Insecure direct object references — Allowing users to access resources by manipulating identifiers without authorisation checks. In a patient portal, this could allow a patient to view another patient's records.
Security misconfigurations — Default credentials, unnecessary features enabled, verbose error messages revealing internal paths or database structure.
Cross-site scripting (XSS) — Allowing attacker-controlled content to execute in other users' browsers, enabling session hijacking or credential theft.
Broken access control — Failing to enforce that users can only access data and functions appropriate to their role. This is a particularly significant risk in EHR applications where role-based access to patient records must be precisely enforced.
Hardcoded Credentials and Secrets
Healthcare applications frequently contain hardcoded database passwords, API keys, encryption keys, or third-party service credentials embedded in source code. These are often committed to version control repositories, where they may persist even after being removed from current code. Secret scanning should be a standard component of code review.
Insecure Dependencies
Modern healthcare applications use many third-party libraries and frameworks. Any of these may contain known vulnerabilities that are catalogued in the National Vulnerability Database and exploitable if left unpatched. Software composition analysis (SCA) tooling automates identification of vulnerable dependencies.
Cryptography Implementation
Healthcare applications must encrypt ePHI at rest and in transit. Code review should verify that encryption is applied correctly: using industry-standard algorithms (AES-256, RSA-2048 or higher, TLS 1.2 minimum), avoiding deprecated algorithms (MD5, SHA-1, DES, RC4), managing keys securely, and not reinventing cryptography using custom implementations.
Authentication and Session Management
Authentication logic is complex and error-prone. Code review should verify that multi-factor authentication is correctly implemented where required, that session tokens are generated with sufficient entropy, that session tokens are invalidated on logout and after inactivity, and that password storage uses appropriate modern hashing (bcrypt, Argon2, or PBKDF2) with salting.
Manual vs Automated Review
Static Application Security Testing (SAST)
SAST tools analyse source code without executing the application, identifying patterns associated with known vulnerability classes. Popular SAST tools include SonarQube, Checkmarx, Veracode, and Semgrep. SAST is fast and scalable — it can be integrated into CI/CD pipelines to provide automated feedback on every code commit.
SAST tools generate false positives that require triage, and they miss vulnerability classes that require understanding of application logic or business context. They are a valuable foundation but not a substitute for manual review.
Software Composition Analysis (SCA)
SCA tools identify third-party libraries with known vulnerabilities. Tools like Snyk, OWASP Dependency-Check, and GitHub Dependabot automate this analysis and can alert development teams when new vulnerabilities are disclosed for dependencies in use.
Manual Code Review
Manual review by experienced security engineers surfaces vulnerabilities that automated tools miss: logical flaws in authorisation enforcement, insecure data flows that cross multiple files, and business logic vulnerabilities that require understanding of the clinical context. Manual review is more expensive and slower, but it consistently adds value beyond automated tooling for complex, high-risk healthcare applications.
CVSS Scoring and Prioritisation
Findings from a code review should be risk-rated using CVSS to enable consistent prioritisation. Critical and High severity findings — particularly those affecting authentication, authorisation, or handling of ePHI — should be addressed before the code is deployed to any environment that contains real patient data.
Prioritisation must also account for exploitability in context: a vulnerability in an internally accessible API used only by a batch process carries different risk than the same vulnerability in a public-facing patient portal.
What a Good Report Looks Like
A code review report should include an executive summary with the overall risk posture, a detailed findings section with one finding per vulnerability type (not per instance), CVSS scores, reproduction steps or code excerpts, business impact description specific to the healthcare context, and specific remediation guidance. It should be usable by both security leadership and development teams.
When to Commission a Code Review
Code review is most valuable at specific points in the development lifecycle: before the initial production deployment of a new application, before significant releases of existing high-risk applications, after a security incident that may have involved application-layer vulnerabilities, and as part of vendor due diligence when procuring third-party healthcare software or integrations.
For organisations with continuous development cycles, integrating SAST into the CI/CD pipeline and scheduling periodic manual reviews of critical application components provides the best balance of coverage and cost.
FZ Consulting LLP provides secure code review services for healthcare applications, including EHR integrations, patient portals, and clinical decision support tools. Contact our team to discuss a code review engagement.