In part-1 of our interview with Ricoh Danielson, we discussed how a comprehensive, “real world” penetration test (also known as ethical hacking) can help you fix the gaps in your company’s security.
Why do you need it?
Let’s take a moment to recap why you need it: for those in healthcare especially, cybercrime represents an enormous risk to both patients and health organizations. The beauty of an objective pen test report from someone “outside” your organization is that the IT team as well as executives can see their security blind spots, and leverage this “early detection” to make changes. Your sensitive patient data can be better protected, while saving you a bundle in potential breach costs, downtime, and remediation.
That said, let’s continue our conversation with Ricoh:
HV: Ricoh, once you’ve done the work of thoroughly testing a company’s defenses with a penetration test, how might you communicate those results to the organization’s C-level executives (CISOs, CIOs, etc)?
RD: I like to approach all C-level executives as if they were the CEO, because they all have a stake in the company’s well being and bottom line. We want them to embrace a posture of “collective fault and ownership,” instead of finger-pointing about weaknesses. (As an aside, I remember a hematologist company that we were working with that had developed a homegrown app., and their CEO was hit with ransomware – which just shows it can happen to anyone. The hackers then took the company’s code and weaponized it against them. Our remediation included implementing code-commit software to help manage and protect their data repositories).
As for communicating the results of a pen test, we’ll present the executives with a comprehensive report (or post mortem) that they can relate to. This includes the gaps in security that we discovered, but also allows them to make financial correlations based on:
1.) the cost of continued non-compliance (including fines per month from agencies like the OCR), and
2.) the total projected costs for remediation
Executives can then determine the correct financial mechanisms to use to fix the problems.
HV: What are some typical things you’d expect to see on a pen test report?
RD: The pen test report will outline the various attack vectors and vulnerabilities that are most likely to compromise their systems (attacks on network infrastructure and patient portals, weakness in web applications, social engineering, etc.). Very likely, the organization has already identified its most critical assets; if not, this will become clearer. We then provide our strategic recommendations, including levels of risk and where investments in security need to be made. Finally, we show them how to work from the inside-out to secure those assets and apply the appropriate remediation – everything from reverse engineering malware, to applying multi-factor authentication, firewalls, ensuring backups, and more.
HV: That sounds like it would be valuable information for any company that wants to understand its current security posture. So to sum it all up, what are the things we want to see a company doing after a pen test?
RD: Ultimately, it’s not enough just to implement new solutions or policies. What you really want to see is a change in culture – from the top down – that embraces a security mindset and adheres to it. Each employee should know that they play an important role in the company’s ongoing security process, because it’s true: you’re only as strong as your weakest link. That means that training should be ongoing and normal, and things like robust and secure password policies should be in play and utilized. Only then will you truly benefit from all that a penetration test offers.
Ricoh Danielson is a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management. In addition to conducting penetration tests for healthcare companies, Ricoh helps small to large businesses with incident response and digital forensics, and has contributed articles to a number of cybersecurity publications. A U.S. Army Combat Veteran, Ricoh served in Iraq and Afghanistan.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, or to schedule a penetration test, call us at: 760-290-3460, or visit our website at www.hipaavault.com.