Welcome to the NEW Community Healthcare User Group ( the new CHUG)— your ultimate destination for insights and discussions at the intersection of healthcare and technology.

Please scroll to the bottom for “Centricity” related topics from the previous forum.

Notifications

Clear all

Pen Testing

General Discussion

Last Post by tippenring 4 years ago

3 Posts

3 Users

0 Reactions

154 Views

RSS

chaddix

(@chaddix)

Posts: 177

Estimable Member

Topic starter

Hello all,

As we all know, a cyber-attack targeting healthcare providers was launched last week. In response, my organization is taking a close look at all applications deployed in our environment.

Have any of your organizations conducted (or hired someone to conduct) pen testing on your environment? We are especially interested in learning more about any security changes you made to CPS or SureScripts Patient Portal as a result of this testing. We will be reaching out to these vendors as well to obtain pen testing results and security best practices for configuration.

If you would prefer, feel free to reach out to me directly via email.

Thank you,

Craig Haddix

Posted : November 3, 2020 1:37 am

tnc

(@tnc)

Posts: 517

Honorable Member

For ransomware threats which come from email and other user-related things (USB drives, file sharing sites, etc) your best defense is an anti malware solution like Carbon Black, Comodo, Crowdstrike, etc where you can allow only applications which YOU choose. This is done by Publisher, Hash or certificate. It is a lot of work on the front end to get it set up but worth while to have this type of defense. In the words of John McAfee from about 5 years ago (before he went crazy), "Antivirus is dead"

I would never discourage pen testing but it is hard to find a reputable tester, in my experience. Sometimes you find them doing some basic recon work but not much more. I know that the really good pen testers are very expensive.

I hope others share their notes here and maybe recommend a good pen testing team which they have used.

Mike Zavolas
Tallahassee Neurological Clinic

Posted : November 3, 2020 3:19 am

tippenring

(@tippenring)

Posts: 56

Trusted Member

There is a whole lot to go into with information security, and the starting point somewhat depends on your current security posture.

Pentests are something you would do when your security posture is considered mature. The reasoning is that pentests usually expose a single attack vector, but an immature security posture probably has many.

If you publish web services, I usually find they are the most common thing that are poorly maintained and forgotten, but there are many other things to assess obviously. For example, do you host your patient portal site, or is it outsourced? Often the outsourced service might be considered a better risk because they employ web developers, security staff, have web application firewalls (WAFs), etc, and you don't need those things in house. That evaluation is typically part of a periodic inventory and security assessment.

Do you use VPNs? F5 had a big vulnerability a month or two ago. Palto Alto Global Protect had a similar one around late last year. Another VPN vendor had one recently as I recall also. Does your IT team keep track of things like this and apply patches and upgrades quickly when necessary?

I'd suggest reviewing some of the below resources and start forming a strategy to improve overall security posture. It can seem overwhelming, but don't let it be. It is the incremental improvements that make the difference long-term.

Some options will be big wins with major improvement and low cost. Of course those are the projects that are done first, but there are diminishing returns as security posture improves. Deciding what risks and costs are acceptable for the organization is the really hard part. Getting buy-in from management can be a challenge. That is certainly beyond the scope of this post, but be aware of it.

A few pertinent resources I have bookmarked in no particular order:

https://h-isac.org/ - Health Information and Sharing Analysis Center

https://isc.sans.edu/diary/rss/26448 - SANS article discussing pentesting

https://www.cisecurity.org/controls/ - Center for Internet Security security controls guidance

https://www.sans.org/critical-security-controls/ - SANS security controls guidance

https://www.cisa.gov/cyber-resource-hub - CISA resource hub

https://www.cisa.gov/cyber-hygiene-services - CISA does free public service scanning for government and critical infrastructure. They use NESSUS for their scans. They also provide other services, including pentesting.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html - HHS HIPAA audit protocol

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool - HIPAA security risk assessment tool

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html - HHS article on inventory and risk assessment

-dp

Posted : November 3, 2020 3:36 am

24 Forums
9,943 Topics
39.9 K Posts
8 Online
6,472 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed