Pen Testing 101: How Healthcare Organizations Can Strengthen Their Security Posture

^{Penetration testing can help healthcare organizations identify and fix their security vulnerabilities.}

Healthcare organizations are worried about how secure their industry is — and they should be. According to a 2018 HIMSS report (PDF), only about 50 percent of healthcare organizations carve out a piece of their IT budget specifically for cybersecurity purposes. When looking at the bigger picture, that means only about half of businesses in the healthcare space are fully dedicating resources to keep patients’ data safe.

>> READ: Penetration Testing: If You Can’t Beat the Hackers, Join Them

In today’s ever-changing (even volatile) cyber landscape, healthcare organizations are presented with a multitude of potential security threats — especially those that go after personal data. To date in 2018, more than 270 data breaches were reported to the U.S. Department of Health and Human Services Office for Civil Rights. Considering the massive increase in incidents this year alone, it’s surprising that many organizations aren’t investing enough money into their cybersecurity strategy.

As we head in 2019, the question is, “where should we prioritize our IT budgets to avoid a repeat of 2018 and prevent exposing massive amounts of patient data in the coming year?”

Know your biggest cybersecurity threats.

Understanding the largest threats for healthcare organizations is the best place to start when it comes to identifying the best course of action. For healthcare organizations, the highest-priority security incidents revolve around access to client data, which can be compromised in the event of breach or ransomware incident. These two are perhaps the most common incidents experienced by medical practices and insurers in most recent years.

So, what’s to blame?

A number of things. Techniques varying from the technical to the human element are most often responsible for causing serious security mishaps. Whether it’s an employee accidentally clicking a phishing link (the same HIMSS report found email is responsible for 61 percent of cybersecurity incidents) or a malicious actor shutting down an organization with ransomware, there are a number of warning signs businesses must be able to quickly identify and remediate.

Make penetration testing an integral part of your security strategy.

One of the best and most practical ways to avoid and prevent an accidental data breach or ransomware infection is through penetration tests, also known as pen testing. A penetration test can be defined in a number of different ways, but, at its core, is intended to review the security posture of a network or computer systems by attempting to discover and exploit vulnerabilities similar to that of real-world attack scenarios. In a penetration test, systems are purposely exploited to show the many ways a host can potentially gain access to sensitive information, user credentials, protected healthcare information or additional access to a network.

Prioritize the types of pen tests you execute on.

When it comes to pen testing, there are plenty of different types of tests and outlets to execute on. If your organization’s email system is vulnerable, an electronic social engineering pen test is a logical next step. In this instance, a malicious actor would be simulated to perform a phishing attack against the business and employees in an attempt to uncover gaps in policies and procedures for end users.

To help improve email security, an organization should implement a layered approach. This includes protections such as attachment scanning for emails to check for malicious content, user awareness training to help employees spot potential signs for phishing attempts and how to report them, as well as multi-factor authentication to protect against password guessing or brute-force attacks. An electronic social engineering pen test can be used as a verification that these and other security controls are properly implemented and followed within the organization.

To help prevent a ransomware attack such as NotPetya, healthcare organizations should test their systems and susceptibility to potentially exploit via a network penetration test. A network penetration test is designed to test the different aspects of internal and external networks, simulating malicious actors targeting different parts of an organization’s architecture to gain greater internal access.

In the healthcare industry, a penetration tester investigating a hospital’s internal network should start with the low-hanging fruit. The most important vulnerabilities to identify are hosts and services configured with weak or default passwords, as well as those that are missing critical patches. By using a network pen test, these concerns will easily be brought to light in ways they otherwise wouldn’t be.

Looking to 2019, it’s important for healthcare companies to recognize the benefits pen testing can bring to their organization. In addition to identifying potential security gaps where malicious activity can occur, the practice can also test their ability to detect and respond to attacks facing their organizations today. To ensure a consistent and reliable security posture, healthcare organizations must verify that the policies and procedures in place are being followed and are effective for the everchanging security landscape before it’s too late.

Steven Laura is a penetration tester and Emilie St-Pierre is a security analyst at Rapid7.

Get the best insights in healthcare analytics directly to your inbox. Register for our daily newsletter.

Related

Healthcare System Neglect Is Top Cause of Data Breaches

How the Atrium Health Data Breach Unfolded

What to Do Before and After a Data Breach