Minimizing Healthcare Risk through Penetration Testing (Part 2)

Updated January 2024, original interview in 2020

In part-1 of our interview with Ricoh Danielson, we discussed how a comprehensive, “real world” penetration test (also known as ethical hacking) can help you fix the gaps in your company’s security.

Why do you need it? 

Let’s take a moment to recap why you need it: for those in healthcare especially, cybercrime represents an enormous risk to both patients and health organizations. The beauty of an objective pen test report from someone “outside” your organization is that the IT team, as well as executives, can see their security blind spots, and leverage this “early detection” to make changes. Your sensitive patient data can be better protected while saving you a bundle in potential breach costs, downtime, and remediation.

That said, let’s continue our conversation with Ricoh:

HIPAA Vault

“Ricoh, once you’ve done the work of thoroughly testing a company’s defenses with a penetration test, how might you communicate those results to the organization’s C-level executives (CISOs, CIOs, etc)?” 

Danielson

“I like to approach all C-level executives as if they were the CEO because they all have a stake in the company’s well-being and bottom line. We want them to embrace a posture of “collective fault and ownership,” instead of finger-pointing about weaknesses. (As an aside, I remember a hematologist company that we were working with that had developed a homegrown app., and their CEO was hit with ransomware – which just shows it can happen to anyone. The hackers then took the company’s code and weaponized it against them. Our remediation included implementing code-commit software to help manage and protect their data repositories).“

“As for communicating the results of a pen test, we’ll present the executives with a comprehensive report (or post mortem) that they can relate to. This includes the gaps in security that we discovered, but also allows them to make financial correlations based on: 

1.) the cost of continued non-compliance (including fines per month from agencies like the OCR), and 

2.) the total projected costs for remediation

Executives can then determine the correct financial mechanisms to use to fix the problems.”

HIPAA Vault

“What are some typical things you’d expect to see on a pen test report?“

Danielson

“The pen test report will outline the various attack vectors and vulnerabilities that are most likely to compromise their systems (attacks on network infrastructure and patient portals, weakness in web applications, social engineering, etc.). Very likely, the organization has already identified its most critical assets; if not, this will become clearer. We then provide our strategic recommendations, including levels of risk and where investments in security need to be made. Finally, we show them how to work from the inside-out to secure those assets and apply the appropriate remediation – everything from reverse engineering malware, to applying multi-factor authentication, firewalls, ensuring backups, and more.“

HIPAA Vault

“That sounds like it would be valuable information for any company that wants to understand its current security posture. So to sum it all up, what are the things we want to see a company doing after a pen test?“

Danielson

“Ultimately, it’s not enough just to implement new solutions or policies. What you really want to see is a change in culture – from the top down – that embraces a security mindset and adheres to it. Each employee should know that they play an important role in the company’s ongoing security process, because it’s true: you’re only as strong as your weakest link. That means that training should be ongoing and normal, and things like robust and secure password policies should be in play and utilized. Only then will you truly benefit from all that a penetration test offers.“

Regulatory Compliance and Penetration Testing in Healthcare

In the ever-evolving landscape of healthcare cybersecurity, regulatory compliance plays a crucial role in safeguarding patient data. Penetration testing is not just a best practice; it’s often a requirement for maintaining compliance with regulations like HIPAA.

Regular penetration testing helps healthcare organizations identify vulnerabilities that could lead to data breaches and non-compliance. By simulating real-world attacks, these tests reveal weaknesses in systems, networks, and applications that might otherwise go unnoticed.

Key benefits of penetration testing for regulatory compliance:

• Demonstrates due diligence in protecting patient data
• Helps meet specific HIPAA requirements for risk analysis
• Provides documentation for audits and inspections
• Identifies areas for improvement in security policies and procedures

Healthcare organizations should view penetration testing as an integral part of their compliance strategy, not just a one-time checkbox exercise.

Emerging Threats in Healthcare Cybersecurity

The healthcare sector faces an ever-growing array of cybersecurity threats. As technology advances, so do the tactics of malicious actors seeking to exploit vulnerabilities in healthcare systems.

Some of the most pressing emerging threats include:

1. IoT Device Vulnerabilities: The proliferation of connected medical devices creates new attack surfaces for cybercriminals.
2. AI-Powered Attacks: Sophisticated attackers are using artificial intelligence to create more convincing phishing emails and social engineering tactics.
3. Supply Chain Attacks: Cybercriminals are targeting healthcare suppliers and vendors to gain backdoor access to larger healthcare organizations.
4. Ransomware Evolution: Ransomware attacks are becoming more targeted and sophisticated, with attackers often exfiltrating data before encryption.
5. Cloud Security Challenges: As healthcare organizations increasingly adopt cloud services, securing data across multiple environments becomes more complex.

To combat these threats, healthcare organizations must stay informed about the latest attack vectors and continuously update their security strategies. Regular penetration testing can help identify vulnerabilities related to these emerging threats before they can be exploited.

Building a Security-Aware Workforce in Healthcare

While technological solutions are crucial, the human element remains a critical factor in healthcare cybersecurity. Building a security-aware workforce is essential for creating a robust defense against cyber threats.

Strategies for fostering a security-conscious culture:

1. Ongoing Training: Implement regular, engaging cybersecurity training sessions that cover the latest threats and best practices.
2. Simulated Phishing Exercises: Conduct periodic phishing simulations to test and improve employees’ ability to recognize and report suspicious emails.
3. Clear Security Policies: Develop and communicate clear, easy-to-understand security policies that outline expected behaviors and procedures.
4. Incident Reporting Mechanisms: Establish user-friendly channels for employees to report suspected security incidents or concerns.
5. Lead by Example: Ensure that leadership visibly prioritizes and participates in cybersecurity initiatives.

By investing in employee education and awareness, healthcare organizations can transform their workforce into a powerful line of defense against cyber threats. This human firewall complements technical security measures and penetration testing efforts, creating a more comprehensive cybersecurity strategy.

Remember, building a security-aware culture is an ongoing process that requires consistent effort and reinforcement. Regular assessments, including penetration tests, can help measure the effectiveness of these initiatives and identify areas for improvement in both technical and human aspects of cybersecurity.

Ricoh Danielson is a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management. In addition to conducting penetration tests for healthcare companies, Ricoh helps small to large businesses with incident response and digital forensics, and has contributed articles to a number of cybersecurity publications. A U.S. Army Combat Veteran, Ricoh served in Iraq and Afghanistan. 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, or to schedule a penetration test, call us at: 760-290-3460, or visit us at www.hipaavault.com.