Healthcare Penetration Testing Approaches
External penetration testing is the more common approach to healthcare penetration testing. This type of testing addresses the ability of a remote attacker to penetrate a covered entity’s internal network. Essentially, external penetration is performed to assess whether someone from outside a covered entity’s network, can access servers or data within the internal network.
In contrast, internal penetration testing is an attempt to simulate what an insider attack could accomplish. The “attacker” – or pen tester – begins the testing by already having some degree of authorized access or is starting from a point within the internal network. The access is given beforehand by the covered entity so that the analyst can conduct a test from the perspective of an insider (as opposed to the perspective of an outsider, as is the case with external penetration testing). Because healthcare breaches can be attributed to both internal and external threats, we recommend that organizations conduct both internal and external penetration tests to ensure they are not leaving themselves vulnerable to malicious insider OR outsider attacks.
Drummond’s unique ability to help healthcare organizations comply with regulations and standards – such as HIPAA, NIST Cybersecurity Framework, NIST 800-53, Center for Information Security (CIS) Critical Security Controls, ISO 27001, and Payment Card Industry Data Security Standard (PCI-DSS) – while exceeding security and safety guidelines, enables healthcare institutions to maintain focus on what matters most – patient care.
Top Threats Targeting Healthcare
- Data breaches on the cloud
- Unsecured mobile devices
- IoMT Vulnerabilities
- Employees / people
Additional Drummond Security Services for Healthcare
- Comprehensive Healthcare Risk Assessment (CHRA) – Drummond comprehensive healthcare risk assessment is a formal, detailed, yet flexible method of evaluating the business and operational risks and controls of an organization and can map to the security controls of most standards and regulations, including HIPAA, ISO 27001/2, NIST Cybersecurity Framework, NIST 800-53, and more.
- Cloud Penetration Testing – Security testing of the cloud environment allows healthcare organizations to gain visibility, understand the impact of vulnerabilities within the cloud architecture, uncover unintended entry points and see how cloud controls perform against real-word attacks in multiple scenarios.
- Social Engineering – Malicious hacking using social engineering against healthcare has multiple goals. The most obvious ones are to steal money or data or to deliver ransomware. Drummond offers simulated social engineering attacks to test the human vulnerability that exists in every healthcare institution.
- Security Awareness Training – Training staff to be vigilant against phishing and other attacks targeting employees of the organization is a critical element of a security program and limits the risk of employees falling victim to social engineering attacks.
- Application Penetration Testing – Application penetration testing can often identify many of the weaknesses that are commonly found in application code and is the best form of defense in identifying any vulnerabilities before that code is deployed.
- IoMT/Medical Device Testing – Medical device penetration testing determines possible design flaws in the software, hardware, and communication methods that could weaken the security of the device. It helps organizations understand the security implications of its devices and how to improve overall security maturity.