At HIMSS19 in Orlando, Fla., Halifax Health Vice President and CIO Tom Stafford was very candid about his organization’s cybersecurity strategy. One aspect of his discussion that stood out to me, in particular, was his embrace and endorsement of penetration testing by white hat hackers.
“Bar none, it’s the best money spent in cybersecurity,” Stafford said. “The reason why is because it’s practical and it’s real. We look forward to ethical hacking because it allows us to improve our security posture and boost patient care. Don’t be afraid of it, and do it.”
The organization switches ethical hackers every two years, he said, to ensure a fresh set of eyes is able to search for weak spots.
More healthcare organizations likely would benefit from taking a similar approach to safeguarding their systems. So, what must leaders know prior to taking such a step?
Set Boundaries for Your Hackers
It’s very important to define goals and set limits for ethical hackers, and spell out those goals and limits in legal language. Such a document gives hackers permission to attack your system, while also clarifying how far they can go in testing.
What’s more, it’s critical to use caution when hiring a white hat hacker. Be sure to determine what level of testing you need first. Black box testers, for instance, receive only a small amount of publicly available information, while white box testers receive a much greater volume of data to work with.
To that end, also get suggestions for hackers with whom you intend to work. Prod your staff to see if they recommend anyone they may know or have previously hired.
Hackers Will Find Vulnerabilities; Be Alarmed, but Don’t Fret
The goal of penetration testing is to determine just how compromised an organization’s IT systems are, so don’t be surprised if whomever you task with the job reveals a laundry list of areas for improvement. Nefarious actors often are one or more steps ahead of the curve when it comes to attacks, and in the case of nation states, such as Ukraine and North Korea, hacking is an industry where people “put on suits and go to work and try to hack the world,” as Stafford pointed out. Hiring hackers is also a growing trend, he said.
“We have this constant fight always against us,” Stafford said, and he’s right. To that end, IT systems must constantly be updated to keep pace with the persistent threats.
Rather than panic, work with your security and IT teams to address and remediate any discovered weaknesses.