Welcome to the NEW CHUG— your ultimate destination for cutting-edge insights and discussions at the intersection of healthcare and technology.

Our platform is dedicated to exploring the dynamic landscape of healthcare technology, empowering professionals, enthusiasts, and innovators alike with the knowledge and resources to navigate the rapidly evolving field.

From telemedicine revolutionizing patient care to the transformative potential of artificial intelligence in diagnostics, we delve into a myriad of topics shaping the future of healthcare delivery. Whether you’re a seasoned healthcare IT professional, an aspiring entrepreneur in the digital health space, or simply curious about the latest innovations, our curated content, expert interviews, and thought-provoking articles provide a comprehensive exploration of healthcare technology’s most pressing issues.

Join us as we navigate the forefront of innovation, driving forward the transformation of healthcare for a healthier, more connected world.

Have questions or suggestions? Please use the contact button below.

Notifications

Clear all

Pen Testing

General Discussion

Last Post by tippenring 4 years ago

3 Posts

3 Users

0 Reactions

138 Views

RSS

chaddix

(@chaddix)

Posts: 177

Estimable Member

Topic starter

Hello all,

As we all know, a cyber-attack targeting healthcare providers was launched last week. In response, my organization is taking a close look at all applications deployed in our environment.

Have any of your organizations conducted (or hired someone to conduct) pen testing on your environment? We are especially interested in learning more about any security changes you made to CPS or SureScripts Patient Portal as a result of this testing. We will be reaching out to these vendors as well to obtain pen testing results and security best practices for configuration.

If you would prefer, feel free to reach out to me directly via email.

Thank you,

Craig Haddix

Posted : November 3, 2020 1:37 am

tnc

(@tnc)

Posts: 517

Honorable Member

For ransomware threats which come from email and other user-related things (USB drives, file sharing sites, etc) your best defense is an anti malware solution like Carbon Black, Comodo, Crowdstrike, etc where you can allow only applications which YOU choose. This is done by Publisher, Hash or certificate. It is a lot of work on the front end to get it set up but worth while to have this type of defense. In the words of John McAfee from about 5 years ago (before he went crazy), "Antivirus is dead"

I would never discourage pen testing but it is hard to find a reputable tester, in my experience. Sometimes you find them doing some basic recon work but not much more. I know that the really good pen testers are very expensive.

I hope others share their notes here and maybe recommend a good pen testing team which they have used.

Mike Zavolas
Tallahassee Neurological Clinic

Posted : November 3, 2020 3:19 am

tippenring

(@tippenring)

Posts: 56

Trusted Member

There is a whole lot to go into with information security, and the starting point somewhat depends on your current security posture.

Pentests are something you would do when your security posture is considered mature. The reasoning is that pentests usually expose a single attack vector, but an immature security posture probably has many.

If you publish web services, I usually find they are the most common thing that are poorly maintained and forgotten, but there are many other things to assess obviously. For example, do you host your patient portal site, or is it outsourced? Often the outsourced service might be considered a better risk because they employ web developers, security staff, have web application firewalls (WAFs), etc, and you don't need those things in house. That evaluation is typically part of a periodic inventory and security assessment.

Do you use VPNs? F5 had a big vulnerability a month or two ago. Palto Alto Global Protect had a similar one around late last year. Another VPN vendor had one recently as I recall also. Does your IT team keep track of things like this and apply patches and upgrades quickly when necessary?

I'd suggest reviewing some of the below resources and start forming a strategy to improve overall security posture. It can seem overwhelming, but don't let it be. It is the incremental improvements that make the difference long-term.

Some options will be big wins with major improvement and low cost. Of course those are the projects that are done first, but there are diminishing returns as security posture improves. Deciding what risks and costs are acceptable for the organization is the really hard part. Getting buy-in from management can be a challenge. That is certainly beyond the scope of this post, but be aware of it.

A few pertinent resources I have bookmarked in no particular order:

https://h-isac.org/ - Health Information and Sharing Analysis Center

https://isc.sans.edu/diary/rss/26448 - SANS article discussing pentesting

https://www.cisecurity.org/controls/ - Center for Internet Security security controls guidance

https://www.sans.org/critical-security-controls/ - SANS security controls guidance

https://www.cisa.gov/cyber-resource-hub - CISA resource hub

https://www.cisa.gov/cyber-hygiene-services - CISA does free public service scanning for government and critical infrastructure. They use NESSUS for their scans. They also provide other services, including pentesting.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html - HHS HIPAA audit protocol

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool - HIPAA security risk assessment tool

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html - HHS article on inventory and risk assessment

-dp

Posted : November 3, 2020 3:36 am

Share:

24 Forums
9,940 Topics
39.9 K Posts
0 Online
6,470 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

Powered by wpForo Powered by wpForo version 2.4.0