Hacking Healthcare: Compliance Alone Won’t Save You

A breach of a healthcare provider can have a serious impact, both in terms of financial loss and patient confidence. HIPAA violations can involve fines of up to $50,000. That’s applicable to each patient record! In many cases, attackers are able to access all of a provider’s patient records. That’s a lot of negative impact.

Healthcare breaches are widely covered in the news, where the court of public opinion tends to lay blame on the targeted organization. Current and future patients may think twice, even wait years before seeking care from a provider that was portrayed negatively by the press for data loss.

Today, many federal and state regulations exist that require you to implement strong policies and procedures to protect individuals from cyber threats and the impact of data breaches. Effective policies and procedures can ensure that you set and maintain the right “mindset” for security, but unfortunately, there may still be technical “gaps.”

With security, the devil is in the details.

Security must go beyond compliance

When it comes to the healthcare industry, security must surpass mere compliance, striving instead towards a posture that protects the entirety of your organization. While it is tempting, with meager resources, to stop at the bare minimum of compliance, limiting the scope of security testing and defense is doomed to come up dangerously short.

Real attackers will find vulnerabilities and conduct attacks on the entirety of your network; therefore, security testing must involve offense-oriented testing of the entire scope of your network – if it is to be successful.

You must become a “want to know” organization

Your IT staff’s focus is on continuity of service for the hospital staff, and “putting out fires” with regards to technical problems. Data security is rarely the foremost concern, and the specialized training needed to identify exploitable vulnerabilities is not something that most IT staff require or use routinely.

Security must become a top priority. You need to focus on uncovering as many vulnerabilities as possible. You must want to know any and all vulnerabilities in your network without “pride of ownership” is key.

Seek out the right help and right services for your organization

Advanced penetration testing, emulating the techniques of real threat groups, can illustrate how a real attack would move around your network, resulting in damaging theft of data. Testing that is fully automated, or reliant on automated tools that focus on surface-level testing with publicly-known vulnerability information, simply isn’t good enough.

You need a partner that understands your needs in the healthcare sector, understands the dangers and risks of testing in a sensitive environment, and has the expertise and experience to find vulnerabilities before criminal threat groups find them.