HV: Ricoh, it does seem that a major theme of your life has been protecting and advocating for others. Is that what motivates your interest in healthcare security as well?
RD: I’m passionate about ensuring that people’s lives and livelihoods are protected. I’ve seen how cyber security and digital forensics can be leveraged to uncover digital evidence that has helped patients; in law enforcement, I’ve seen how digital forensics is used to track down bad guys. From my military experience, I’ve seen how digital forensics evidence has helped make command decisions on the battlefield, saving soldier’s lives. At the end of the day, I believe in using cyber security to continue to serve and protect others when needed.
HV: Many healthcare companies scan for vulnerabilities in their systems, but some are resistant to a penetration test that will simulate an all-out cyber attack. Why is this?
RD: I remember working with a large medical company that had an app in the cloud. They were resistant to making the small investment for a penetration test (we even offered them a discount!), but they continued to insist they were fine. I then did an initial investigation that revealed to them how they were essentially open to the world – including China, Malaysia, and Russia – the 3 major bad actors. I told them that it’s very possible that hackers had some of their data already. Later, the Feds came in and mandated that this company make changes in their security, and the price tag ended up being far more expensive than if they had made the changes sooner.
HV: So how do you determine who needs a penetration test?
RD: You might think it’s only large companies with money that can afford to do a penetration test, but the truth is, small to midsize companies can benefit as well. Whether you need one and how extensive the pen test should be will depend on your application. How vital and necessary is your app? Is it a healthcare app that delivers timely and critical feedback on, say, a person’s kidney disease? Most medical records companies, for example, will know that they need a pen test more often (maybe every 8 weeks), and therefore allocate a generous budget for it.
HV: So what should a company know as they prepare for a pen test?
RD: It’s important that the CISO and IT department first agree to check their egos at the door, and choose transparency over defensiveness. If they do, then we can run a Purple Team exercise (a combination of Red & Blue Teams, where the Red Team launches an attack in an attempt to exploit the company’s defenses, and the Blue Team is the IT team that seeks to thwart the attack. The Purple team remains neutral and helps both teams). Everybody is then working toward the end goal of strengthening security, testing their app, getting their servers patched, and doing what it takes to make the company more secure.
HV: What else is important to prepare for, in view of a potential cyber attack?
RD: Everyone needs a “critical response plan.” In the military, we’d often emphasize that soldiers in the field need 3 things: radio, food & water, and ammo. Likewise, hospitals and other organizations with sensitive data (like banks) also need 3 things, and these should be written up very clearly so it’s easily accessible in the event of an attack:
1.) Someone you’ll call about your infrastructure,
2.) A bank account large enough to handle remediation costs if you’re breached, and to get you back up and running, and,
3.) Good insurance.
You really need these things whether you’re large or small, because the truth is, it’s not if you get attacked, but when.
Stay tuned for Part 2 of our interview with Ricoh!
Ricoh Danielson is a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management. In addition to conducting penetration tests for healthcare companies, Ricoh helps small to large businesses with incident response and digital forensics, and has contributed articles to a number of cybersecurity publications. A U.S. Army Combat Veteran, Ricoh served in Iraq and Afghanistan.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, or to schedule a penetration test, call us at: 760-290-3460, or visit our website at www.hipaavault.com.