Healthcare IT Security- The Case for Penetration Testing

Posted by John Dimaggio on Apr 6, 2016 1:54:48 PM

In Penetration Testing

HIPAA law requires covered entities to safeguard against “reasonably anticipated” threats to protected health information.  With healthcare security breaches making all too frequent headlines, the threat of malicious hacking can certainly be reasonably anticipated.  In fact, according to a May 2015 Ponemon Institute study, criminal attacks on healthcare data are up 125% compared to five years ago.  In this cyber-war landscape, healthcare organizations have a legal and ethical responsibility to identify and mitigate the likelihood of real-world threats to IT assets and physical security. Penetration testing can strategically position your organization to repel cyber-attacks.

Penetration testing, also known as “ethical hacking” is an authorized software attack on a computer system designed to pinpoint security vulnerabilities that may be present in operating systems, applications, configurations or risky end-user activity.  The test will simulate the practices and methods of external or internal agents attempting unauthorized data access. Think of it as a sort of remote reconnaissance that can evaluate the true effectiveness of your security controls.

A thorough penetration test uses the latest software tools designed to gather information, analyze and exploit vulnerabilities, and attempt to crack passwords, decode encryption and infiltrate operating systems, web applications and wireless networks.  The primary objective is to establish if and where unauthorized system access can be attained.  Once security gaps are identified, they should be corrected, and subsequent tests executed until no further vulnerabilities are detected.

But you can’t stop there.  Penetration testing should be performed routinely to ensure security controls remain ahead of emerging threats.   Hackers are continually sharpening and refining their skills, and new hackers are born everyday thanks to “hacking kits” now available on the dark web.  In fact, Healthcare IT security is under special attack because the dark web also provides huge pay-offs for stolen PHI. 

The monetary cost of penetration testing is inconsequential when you consider the impact to your organization if an attacker were to successfully gain infrastructure access. According to a May 2015 Ponemon Institute study,  the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million, not to mention the negative publicity and reputational damage that will almost certainly ensue.  Breaches can also instigate Office for Civil Rights (OCR) investigations, as well as incur additional costs such as credit monitoring fees for affected residents. 

It can be very difficult to test, analyze and remediate your own network vulnerabilities without interrupting your day to day business operations. Your IT department may not have the resources or expertise that can be dedicated to the design and implementation of testing methodologies that actively analyze systems for technical vulnerabilities. Consider partnering with a compliance company.  A good compliance partner will help you pinpoint real risks to networks, assess the performance of your overall security controls, and provide remediation guidance and support.

 

Read about a typical Healthcare IT penetration test performed by BlueOrange Compliance:

RiverSpring Health Case Study

 

BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.