There is a whole lot to go into with information security, and the starting point somewhat depends on your current security posture.
Pentests are something you would do when your security posture is considered mature. The reasoning is that pentests usually expose a single attack vector, but an immature security posture probably has many.
If you publish web services, I usually find they are the most common thing that are poorly maintained and forgotten, but there are many other things to assess obviously. For example, do you host your patient portal site, or is it outsourced? Often the outsourced service might be considered a better risk because they employ web developers, security staff, have web application firewalls (WAFs), etc, and you don't need those things in house. That evaluation is typically part of a periodic inventory and security assessment.
Do you use VPNs? F5 had a big vulnerability a month or two ago. Palto Alto Global Protect had a similar one around late last year. Another VPN vendor had one recently as I recall also. Does your IT team keep track of things like this and apply patches and upgrades quickly when necessary?
I'd suggest reviewing some of the below resources and start forming a strategy to improve overall security posture. It can seem overwhelming, but don't let it be. It is the incremental improvements that make the difference long-term.
Some options will be big wins with major improvement and low cost. Of course those are the projects that are done first, but there are diminishing returns as security posture improves. Deciding what risks and costs are acceptable for the organization is the really hard part. Getting buy-in from management can be a challenge. That is certainly beyond the scope of this post, but be aware of it.
A few pertinent resources I have bookmarked in no particular order:
https://h-isac.org/ - Health Information and Sharing Analysis Center
https://isc.sans.edu/diary/rss/26448 - SANS article discussing pentesting
https://www.cisecurity.org/controls/ - Center for Internet Security security controls guidance
https://www.sans.org/critical-security-controls/ - SANS security controls guidance
https://www.cisa.gov/cyber-resource-hub - CISA resource hub
https://www.cisa.gov/cyber-hygiene-services - CISA does free public service scanning for government and critical infrastructure. They use NESSUS for their scans. They also provide other services, including pentesting.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html - HHS HIPAA audit protocol
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool - HIPAA security risk assessment tool
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html - HHS article on inventory and risk assessment
-dp
Posted : November 3, 2020 3:36 am