Hacking Healthcare: How to Offensively Protect Healthcare Systems

This commentary originally appeared September 20 on the HORNE Cyber Blog.

A breach of a healthcare provider can have a serious impact, both in terms of financial loss and patient confidence. HIPAA violations can involve fines of up to $50,000 per patient record, and in many cases, attackers are able to access all of a provider’s patient records.

Healthcare breaches are widely covered in the news, where the court of public opinion lays blame on the targeted organization. Current and future patients may think twice, even years later, about seeking care from a provider that was portrayed negatively by the press for data loss.

Strong policies and procedures can make sure that an organization sets and maintains the right “mindset” for security, but unfortunately, there may still be technical “gaps”. With security, the devil is in the details.

The IT staff’s focus is on continuity of service for the hospital staff, and “putting out fires” with regards to technical problems. Data security is rarely the foremost concern, and the specialized training needed to identify exploitable vulnerabilities is not something that most IT staff require or use routinely. Third-party testing by experienced professionals is needed to give a provider visibility into how a real attacker sees their network.

While offense-oriented services can help identify vulnerabilities that would otherwise be exposed in embarrassing and expensive breaches, compliance-focused testing will never be sufficient in protecting patient data or continuity of service. Limiting a penetration test to systems that are known to contain sensitive patient data ignores attackers' ability to find similar information in unexpected places or leverage access to untested systems to gain access to those containing sensitive records.

Advanced penetration testing, emulating the techniques of real threat groups, can illustrate how a real attack would move around a network, resulting in damaging theft of data. Testing that is fully automated, or reliant on automated tools that focus on surface-level testing with publicly-known vulnerability information, simply isn't good enough.

A topic I’ve spoken on in recent years at security conferences, Black Hat USA and DEF CON, is the concept of “secure penetration testing operations”. This is a tremendous concern for healthcare providers. Can you ensure that the penetration testers you use aren’t the sourceof a breach through mishandling of data or leaving “back doors” open on the networks they test?

On our own engagements, we have seen previous testers leave systems vulnerable after they “forget” to clean up after themselves. Do the experts performing your penetration test have experience with healthcare networks? Will they be able to identify the presence of medical devices and take due care in testing them? These are questions that need to be asked before engaging in this kind of service.

Advanced penetration is your organization’s best chance at identifying vulnerabilities that would otherwise become embarrassing and financially devastating breaches. It isn’t something that can be taken lightly or passed off without question to lowest bidder, however.

Seek out a firm that understands your needs in the healthcare sector, understands the dangers and risks of testing in a sensitive environment, and has the expertise and experience to find vulnerabilities before the real threat groups find them.

For weekly insights into healthcare, please sign up here: