Oct 28 2021

What Is Purple Teaming and How Can It Improve Healthcare Organizations’ Security Posture?

Collaboration between red and blue teams can reveal gaps in incident response plans and improve overall security strategies. Purple teaming is one step in the maintenance phase of incident response.

Cybersecurity attacks are on the rise in healthcare, with an increase of more than 30 percent in the number of breaches reported from 2019 to 2020, according to a report from Protenus. To protect patient data, healthcare organizations are looking for ways to improve their security postures and incident response plans.

Purple teaming is one way to find weaknesses in an existing program. This security exercise evolved from red and blue team exercises. Instead facing off with each other, with one team winning, both teams collaborate during purple teaming exercises to improve the healthcare organization’s overall security program.

Purple teaming also can be a useful tool for healthcare organizations to validate the efficacy of their security programs in the maintenance phase of incident response planning. However, it’s important for healthcare organizations to understand how these exercises work and what best practices for them are.

Click the banner below for CDW resources to dig deeper into incident response planning.

How Is Purple Teaming Different from Red vs. Blue Teams?

Purple teams exist to maximize the effectiveness of red and blue teams by integrating the blue team’s defensive tactics and controls with the information on threats and vulnerabilities uncovered by the red team into a single narrative.

A blue team is a healthcare organization’s internal security team; a red team, which could be a dedicated internal team or a security partner, attempts attacks to test these defenses. During purple team exercises, the two teams work together to determine how attacks are being detected and thwarted.

“Ideally, purple shouldn’t be a team at all, but rather a permanent dynamic between red and blue. From healthcare to utilities and government agencies, CISOs are using analysis and reports from purple team assessments, where both red teams (offense) and blue teams (defense) work collaboratively to assess an organization's systems, uncover areas of vulnerability and exposure, and report to the board on the organization’s overall cybersecurity posture,” says Stew Wolfe, technology and transformation cybersecurity leader for Cisco. “Purple team engagement is valuable to executives and board members because instead of having a conversation around hypotheticals, the team can show real-world results based on the company’s unique environment, technologies and crown jewels. It changes the discussion from ‘An attacker could have done this’ to ‘Here’s what an attacker did and the impact to our organization.’”

LEARN MORE: Find out why partnerships are important to healthcare security and incident response.

How Purple Team Exercises Benefit Healthcare Organizations

As ransomware attacks increase, healthcare CISOs are looking for effective methods to reduce risk beyond traditional means such as penetration testing. Purple team exercises are a critical part of any robust and effective security strategy.

“Ideally, these exercises help the organization identify weaknesses in the people, processes and technologies within the network perimeter, as well as pinpoint security gaps such as backdoors, incident response capability and identify other vulnerabilities that may exist within the security architecture,” says Wolfe. “After the exercises, a healthcare institution will have something more tangible to discuss at the strategic level on policy, prioritization and security funding, and can adjust based on the findings.”

The more practical experience a blue team gets at defending against cyberattacks, the better it will become. Purple team exercises help blue teams to improve their remediation activities.

“In healthcare, we talk about people, process and technology. All three of those things can have issues or challenges when it comes to cybersecurity. People can, through social engineering processes, be convinced to give up credentials. The process and the technology sides are more self-explanatory,” says Drex DeFord, executive healthcare strategist at CrowdStrike. “We have particular ways that we do things inside of networks or inside of cybersecurity programs, and sometimes, those things have too many steps, where there’s something that we’ve left out. We’re looking for all those things. Anything that we can find where there’s a vulnerability in those people, process, technology or parts, that’s a good outcome and that’s a good reason to do the exercises.”

These exercises can also bring to light infrastructure weaknesses not necessarily related to security. DeFord explains that healthcare organizations often build up their IT infrastructures incrementally over time in a way that may create weaknesses.

“If a certain thing happens in the infrastructure, it can actually cause a cascade effect in downtime,” he adds. “A lot of this is about finding problems and issues that make it easy to have downtime, which may be caused by cybersecurity incidences or could be caused by other things too. If the red team causes it, though, it’s an opportunity for us to learn, and that’s what the whole exercise is really about.”

Click the banner below for more HealthTech content on security and incident response planning.

Best Practices for Running Purple Team Exercises in Healthcare

DeFord says healthcare organizations should run a purple team or red vs. blue team exercise annually to ensure their incident response programs aren’t falling behind as cyberthreats evolve. However, he points out that these exercises shouldn’t lead to criticism or punishment of the blue team.

“I think you have to, as an executive, change the mindset and say, ‘Look, this isn’t about punishing the blue team. This is about understanding what we can do to make the blue team better,’” says DeFord. “Because often it’s not about the blue team and its particular behaviors or activities. Sometimes it’s about investments that haven’t been made, staff shortages or any of the other things that all healthcare and cybersecurity organizations face today.”

He recommends that organizations partner with security experts for these exercises, other cybersecurity assessments and as part of their overall security strategies. One reason it may be beneficial to hire a security partner to fill the red team role is because an internal red team may have too much knowledge of the organization’s security program for a blue team to overcome during a red vs. blue team exercise. During a purple team exercise, it can be useful to have the additional expertise of security experts during the collaboration and remediation process.

GET THE WHITE PAPER: Find out how to establish an effective incident response program.

“When members of the blue team are able to observe and participate in the attacks, they gain a better understanding of how attackers operate. This allows them to effectively deploy honeypots and other technologies to deceive actual attackers and study their tactics, techniques and procedures,” says Eric Kellenberger, a former CDW senior field solution architect for security, in a blog on purple teaming.

The blog points out that purple team exercises are only effective when the organization already has a strong cybersecurity foundation.

“Before engaging in purple teaming, the organization should ensure that it already uses email and web security tools, defends itself with a next-generation firewall, and conducts periodic vulnerability scanning and penetration testing,” says Kellenberger in the blog. “Once those controls are deployed, purple teaming can probe those deployments for undiscovered weaknesses.”

SolisImages/Getty Images