Getty Images/iStockphoto
Evaluating Cyber Readiness, Vulnerabilities with Pen Testing
Once a healthcare organization has built what it feels is a strong defense and security program, security leaders can look to third-party vendor penetration testing to evaluate its cyber readiness.
Healthcare suffers with a unique endpoint challenge: a host of vendors, legacy systems, and an ever-increasing list of connected devices. But even with what it may deem a secure network, the threat landscape also continuously adds new vulnerabilities. Pen testing allows providers to test their cyber readiness and determine just how they stack up against a real-world cyberattack.
In 2019, ransomware hit crisis levels with more than 759 providers falling victim to the cyberattack. Providers reported EHR outages and patient care diversions, while at least two providers permanently closed after not being able to fully recover from a cyberattack.
Microsoft also just ended support for Windows 7 and two other legacy platforms, adding a host of new vulnerabilities. With security researchers predicting an even more brutal year of healthcare cybersecurity, it’s crucial both for providers to bolster their defenses and to ensure all vulnerable endpoints are secure.
Once a healthcare provider has created a strong inventory and performed a risk assessment, how can IT and security leaders be certain their defenses are secure? Many turn to outside cybersecurity teams to test their defenses with penetration testing.
What is pen testing?
Pen testing refers to a wide range of techniques that vary in scope and can effectively help any organization improve their security posture.
“Pen testing is the practice of performing offensive security assessments against a target or organization,” said John Nye, CynergisTek’s senior director of cybersecurity research and communication. “But why would an organization pay someone to attack their systems? Because it is much better to have an ethical hacker find flaws in a network or systems and responsibly report them.”
“The alternative is to allow the vulnerabilities to sit undiscovered until a malicious attacker finds them and exploits them to your detriment,” he stressed.
The purpose is to probe for any vulnerable ports, open doors, or whether there is any opportunity for a bad actor to get in, Troy Young, chief technology officer of AdvanceMD explained.
There are varying levels of pen testing that determine an organization’s readiness. The very basic is known as perimeter testing or external network testing, with automated tests to see if there are any open ports or services externally open to the network that should not be, Young said.
Another simple form of pen testing involves network testing ports and services or any network exposed to the internet. Young explained that a pen test can determine what services and ports should not be open or running and whether they need to be closed.
“Someone is coming in from outside to make sure these ports are running,” Young said. “It’s the simplest level of pen testing.”
Phishing education campaigns are not always referred to as pen testing, but it’s a tool Young said can be used to pen test an organization’s employees. Through software or a service, organizations can send fake phishing emails to employees to determine how they respond.
“It’s probably the single most dangerous attack vector, especially for healthcare and one of the easiest ways to get into a network is through emails,” Young said. “You often hear these stories of ransomware or major breaches and most of the time, it stems from a malicious phishing attack on the practice.”
“Someone clicks the link, provides credentials, or installs malicious software,” he added. “It’s common to subscribe to services that will send those phishing education emails. If an employee clicks on a bad link, they’ll receive a pop up with phishing information education.”
A third-party can also perform the phishing test through social engineering. Young explained the outside firm will probe the behavior of employees, through a phone call or online social media platform, much like a cybercriminal would when planning a targeted attack.
"The alternative is to allow the vulnerabilities to sit undiscovered until a malicious attacker finds them and exploits them to your detriment."
The third level of pen testing can be fairly expensive, but can be appropriate for larger healthcare providers or health tech companies. It’s where the pen testing team pulls out all of the stops, through social engineering and other reconnaissance methods, said Young. The pen tester will begin with research, then move to perimeter pen testing, then end with phishing emails, calls, and the like.
Once they’re into the network, he said the team will go deeper with more sophisticated tools and try to get software running within the network. Young said this will involve trying to escalate privileges and permissions to do things on the network. It’s highly effective, but costly.
“Pen tests can vary greatly in scope, meaning they can be an effective tool to help any organization improve their security posture,” said Nye. “Determining the specific type or scope of an assessment is heavily impacted by the maturity of the organization.”
Considerations
All healthcare organizations can benefit from a simple pen test, Nye asserted, but the maturity of the security program at the organization matters.
“For example, an organization that has an internal vulnerability scanning process in place and regularly patches systems will likely have significantly different results from a pen test than a less mature organization that has a less developed security strategy in place,” Nye said.
“An immature organization that is still simply reacting to issues would benefit from a basic external (web-facing) pen test,” he continued. “A mature, large organization will need significantly more work to assess all of the various aspects such as physical, logical, and IT security in the form of physical/social engineering attacks and logical network assessing.”
As a result, healthcare organizations need to first ensure their defenses are ready to be tested before jumping into hiring a pen testing team. To Young, pen testing should come as an outcome of a thorough risk assessment.
First example, the risks associated with a one-doctor practice that is only connected to the internet through its user computers, will be far fewer than those of a larger practice with a host of lab machines and other internet-connected equipment, Young explained.
No matter the size of the organization, Young said organizations must first determine its connectivity with other hospitals, affiliate privileges and clinics through a risk assessment.
“And then based on its exposure to the internet, the organization can say, these are the kinds of penetration testing we should do,” said Young.
In that way, when it’s time to discuss pen testing with a security professional, they aren’t going in stone cold. Young said that can lead to the outside firm attempting to sell an organization whatever they can.
For SecureLink CISO Tony Howlett, healthcare organizations should also determine just what the organization hopes to get out of the pen test, whether it be for compliance or another security concern. But healthcare organizations also have a critical consideration when it comes to pen testing: patient safety and HIPAA.
“In healthcare, there are regulations to consider and you likely don’t want the tester to get into patient health information databases,” Howlett said. “If a pen tester gets into the network, is that a violation that needs to be recorded? A PHI breach could be a reportable offense, so it needs to be tightly designed in the contract and the engagement letter.”
With this in mind, Howlett advised organizations to ask what they want to get out of pen testing.
“Report issues to us, and then have the tester work their way back,” he stated. “There’s also patient safety to consider, as the tester can’t take down a mission critical system.”
Healthcare has a long list of devices, including insulin pumps, patient monitors, and other tools to take care of patients. The considerations must be researched before the contracting process to ensure patient safety is maintained, Howlett stressed.
As a result, healthcare organizations must evaluate whether they should even undertake a pen test or if they are even ready to take on the security measure. Howlett said a simple way to understand this is to look into NIST Testing or NIST-800, which is dedicated to cybersecurity.
“Healthcare organizations want to be aligned with NIST controls before they attempt pen testing,” Howlett said. “It’s about measuring twice and cutting once. It’s hard to say what an organization should have in place beforehand. But if an organization doesn’t know the right controls, they’re probably not ready for testing.”
“If an organization doesn’t have basic compliance, they’re also probably not ready for a pen test,” he added. “It’s also about whether they have the structures in place to remediate issues found during the process. If they find a hole in their security, what processes will they use to remediate it?”
Using the NIST standards, organizations can take the test and determine what they need to do to bolster their defenses, Howlett explained. But if they aren’t scoring well, the provider still has work to do.
Next, providers should perform an internal audit, which is similar to NIST. Covered entities should already be auditing and testing their systems under HIPAA, “before they go out to have them tested externally.”
“Healthcare organizations are under so much regulation already, that most of them are probably ready for a pen test,” Howlett said. “But most of these organizations don't do pen tests by choice: they do them because a regulator or auditor told them.”
“Organizations should already be doing vulnerability scans and have good general cyber hygiene before considering pen testing,” he continued. “Pen testing is not recommended for someone who hasn’t done a pen test or audit, as they’re going to be embarrassed by the pen testing results. Organizations should have done an internal scrimmage first.”
Lastly, those organizations mandated to take a pen test should first dip their toes in the water with just a simple external pen test on outside ISPs to determine next steps.
For Young, organizations will commonly pursue pen testing in levels over a determined period of time. The first year they can perform a simple perimeter test, “knocking on the door to make sure it’s locked.”
Selecting a pen tester
For healthcare providers, outlining the requirements during the contracting process is the key to compliance and security. All HIPAA business associates that could potentially handle PHI will also require a business associate agreement.
There are also contract considerations that can also ensure patient data remains secure during a pen test, as well.
For Nye, organizations considering the process should first ensure the third-party vendor is well-versed in offensive security assessments – especially in healthcare.
“This is important so that they know of the specific needs and quirks of your industry,” Nye said. “Some things that make a pen test go much more smoothly are a solid and complete asset inventory, an up to date list of vulnerable systems and missing patches, as well as the biggest scope you can manage to allow the pen testers to assess the largest number of systems possible.”
Young added that from a business perspective, having a vendor that understands healthcare’s nuances will help the covered entity explain what is considered PHI and make it easier to secure a BAA.
“If they have that experience with healthcare and HIPAA assessments, the tester is going to understand HIPAA better than someone who doesn’t have that kind of auditing experience,” Young said.
It’s important for providers to also choose a vendor they trust. Organizations can look to other neighborhood hospitals that have performed pen testing to determine the best one. There are national vendors and those out of state, so an organization will need to determine their budget to ensure the best fit for their facility.
Further, first performing a risk assessment will also show the organization the areas that should be tested on the network. That information can help the pen tester to identify the right tests to give the organization the most benefit.
“If they have that experience with healthcare and HIPAA assessments, the tester is going to understand HIPAA better than someone who doesn’t have that kind of auditing experience."
Young added that organizations can protect PHI by adding perimeters on how far a pen tester is allowed to go during the security probe. An organization should detail those limits during the contracting process, which should entail the tester being mandated to stop once they’ve stumbled upon sensitive data.
It’s not uncommon in other sectors for the pen tester to be allowed to dive into the network, gather information, and provide the team leader with a spreadsheet of their findings, but Young noted that’s not really appropriate for the healthcare sector given the sensitivity of the data.
Instead, the pen tester should be delegated to back off as soon as they find data.
“It’s critical to clearly define the parameters of pen test so that regulations are not violated and/or that might get vendor or lower level people in trouble,” Howlett said. “A successful pen test depends on knowing what deliverables you want and designing a contract and engagement letter that tightly defines the ROE for the pen tester.”
“In a regulated industry there are many reasons to have guardrails on the test,” he added. “You can’t fully simulate a real-world attack. There needs to be a good balance of making an organization safe from outside attackers and getting too far into the data or patient safety issues.”
As an alternative, Young explained the tester can detail the steps they took to get to that point to allow the organization to fix that access point and minimize outside access.
Limitations and Benefits
Pen testing is not a cure for all security vulnerabilities. Tech companies are continually finding new vulnerabilities, hackers are evolving their attack methods, and no process is infallible. However, the process can help organizations experience a real-world attack to gain experience into how their facility can withstand a potential cyberattack.
“One of the biggest limitations on all pen tests is the official scope of the assessment,” said Nye. “Many organizations will intentionally ‘cherry pick’ the least vulnerable systems to include in the scope, while leaving known-bad systems (like Windows XP and 7) out of the scope so their reports look better.”
“A major misconception to consider with pen tests is not understanding that ethical hackers are limited by the letter of authorization, resources, and time, which is a problem that black-hat hackers do not have,” he continued. “Because of this, it is crucial to understand that a pen test cannot actually find every possible point of attack in a network -- it is just a snapshot in time.”
Organizations should look to those vendors that understand the process and ensure they are undertaking pen testing to correctly identify any security issues rather than just hoping to remain compliant, Howlett explained.
“Making sure the pen test is done correctly, rather than just doing it to check a box, is critical,” he said. “Otherwise, you could end up creating an incident rather than avoiding one.”
When looking for a pen tester, organizations should look to those passionate about the process with experience in “breaking things.”
“Most of the best pen testers I have worked with have had two things in common and oddly, neither formal education nor certifications seem to have any impact on this,” Nye said. “The two most important traits for a pen tester are a passion for breaking things in a new and unexpected way and a drive to never stop learning."