How Penetration Testing Can Reduce the Risk and Reduce the Cost
AUTHOR: Samuel Hinson, Drummond Leader for Cybersecurity Services
Every organization has unique technical environments, operational challenges, and levels of cybersecurity program maturity. Is your electronic health record (EHR) software application secure? How do you ensure protected health information (PHI) isn’t leaked or compromised and generates confidence that your system will not introduce vulnerabilities? Most organizations have technology and procedures in place to reduce the risk of data theft, but it can be very difficult to identify every security weakness.
According to a recent study, Cost of a Data Breach 2022 Report, by Ponemon Institute sponsored by IBM, the longer it takes to identify and contain a breach the more expensive it becomes. Not only is it costly but reputations are at stake as well. Notable statistics from the report include:
$ 10.10 million Average total cost of a data breach in healthcare.
Average total cost of a breach in healthcare increased from USD 9.23 million in the 2021 report to USD 10.10 million in 2022, an increase of USD 0.87 million or 9.4%.
12 years Consecutive years the healthcare industry had the highest average cost of a breach.
83% of organizations have had more than one breach.
Eighty-three percent of organizations studied have experienced more than one data breach, and just 17% said this was their first data breach.
277 days Average time to identify and contain a data breach.
The time to contain a breach refers to the time it takes for an organization to resolve a situation when it’s been detected and ultimately restore service.
There is no shortage of potential breach risks–stolen credentials, phishing, 3rd party software vulnerabilities, accidental data loss, cloud misconfiguration, insider threats, or social engineering. An article by Security Magazine reported that as of 2022, cyber-attacks saw a 62% year-over-year increase. This is due to cybercriminals being capable of penetrating 93% of company networks. The importance of proactive security measures is no longer a ‘nice to have’ but a ‘need to have’.
To address these ongoing challenges, many cybersecurity teams conduct annual penetration testing. While the penetration and vulnerability testing costs are modest (~ $12,000), there is a proven ROI for EHRs. The Ponemon Institute report also shared several key data breach cost impact factors. The findings indicate those organizations that conduct Pen and Vulnerability Testing had an average breach cost reduction of $156,659. This represents an ROI of over 1300%.
Penetration testing helps your organization identify system, and other, vulnerabilities and shows how hackers try to exploit those weaknesses. Armed with this knowledge your security team can develop effective educational materials for employees and shore up your defenses.
Protect what matters most and help your organization identify, document, and remediate potential threats and vulnerabilities to keep your business safe from attackers. To protect electronic patient health information (PHI), you need to look at your application the way a hacker would. This means you must identify and exploit network-layer and application-layer vulnerabilities, software and system configuration flaws, programming flaws, operational security gaps, and inadequate defensive technology.
And, you will want to lock down and secure how data is shared via interoperability and ensure all interfaces HL72x/3x/FHIR/API are secure. It is also important to run automated scans and manually test all areas of the application, website, and other internet-based applications or 3rd party modules to help you manage risks and mitigate potential data breaches.
Given the cost of a breach and the time it takes to contain a breach, the report recommends you take key actions to protect your organization. Much of this can be achieved within your organization and with a dedicated security team focused on it. You should also have an independent cybersecurity team conduct penetration and vulnerability testing annually to help you shore up your EHR application(s) which in turn helps your clients ensure their infrastructure is secure so they can avoid breaches and associated costs.
Protect What Matters Most
penetration and vulnerability testing techniques and
adhere to industry-accepted testing methods.
Drummond helps you stay ahead of threats, including ransomware attacks and email phishing against connected medical devices, by helping you evaluate and address potential risks. In the end you will have a detailed report outlining any vulnerabilities identified with recommendations on how to better defend the systems. Learn how our penetration testing services can help your organization, schedule a session with our cybersecurity experts today to get started.