Dec 13 2021

Tabletop Exercises and Penetration Testing: What Health Systems Need to Know

It is critical for healthcare organizations to regularly perform these assessments to strengthen their cybersecurity posture.

Cybersecurity is a major concern in the healthcare industry, especially with the current rise in threats and attacks.

Ransomware crises in healthcare can be particularly hard-hitting with the health and safety of patients on the line. When a hospital is mired in the response to a ransomware attack, clinical operations can slow or grind to a halt, which can have detrimental consequences for patients.

To avoid reaching that point, cybersecurity must be front of mind for healthcare organizations. Understanding your full environment — in terms of assets, configuration management and potential threats — can start the path forward toward initiatives to measure resiliency.

Be prepared before a crisis so that your organization is not caught off guard should a cyberattack happen. Executing active cybersecurity drills, such as tabletop exercises and penetration testing, are critical next steps.

Click the banner below for CDW resources to dig deeper into cybersecurity and incident response planning.

The Importance of Tabletop Exercises in Healthcare

A tabletop exercise is a meeting to discuss a simulated emergency. Participants review and discuss the actions they would take in a particular emergency, such as a ransomware attack, testing the organization’s emergency plan in an informal, low-stress environment.

Tabletop exercises are used to clarify roles and responsibilities, and to identify additional campus mitigation and preparedness needs. Walking through a near-life scenario tends to sharpen critical thinking and uncover challenges before a real-life scenario happens.

RELATED: Learn how health IT teams can benefit from red team and blue teams exercises.

They also present an opportunity to bring people together with the right set of skills from inside and outside the healthcare organization to help survive a business disruption.

Tabletop exercises should result in action plans for continuous improvement of the emergency plan. A written evaluation of an exercise provides a guideline for what went well and what areas need attention, and should categorize outcomes by people, processes or technology.

Penetration Testing Increases Cybersecurity Readiness

Penetration testing is another practical method for assessing and evaluating the effectiveness of security controls that are in place for data privacy and protection.

Unlike vulnerability scanning, pen testing is mandatory for compliance with payment card industry regulations. If you are taking credit cards at your healthcare organization, you need to comply with some level of the Payment Card Industry Data Security Standard.  

A comprehensive pen test attempts to exploit all the layers within an organization’s ecosystem — before malicious actors do — to expose whether a configuration is as secure as it seems. Pen testing can reveal, for example, misapplied fixes or undocumented vulnerabilities, and even identify threats and threat vectors, which can boost the security personnel’s knowledge and response time to an incident.

READ MORE: Find out why partnerships are important to healthcare cybersecurity.

Here is an example of a journey through different aspects of pen testing:

  1. Start from the outside perimeter in traditional perimeter control, or north-to-south traffic. If you’re already in the cloud, do a cloud configuration security pen test, which reveals who can get into the system to quickly compromise it.
  2. Then, move into wireless network pen testing. You'll need people to physically visit your campus and be able to look for rogue types of wireless controllers, or have the ability to do that test remotely to make sure that your wireless is sound.
  3. Next, try an internal or lateral type of pen testing. What you're looking for here is how far somebody can go once they're authenticated to your network. They may be looking for privilege escalation. What other information is readily exposed on the internal network that is not being protected?
  4. Follow it with application pen testing. This reveals what applications do, what credentials are being used, how they're being used, how they’re interacting with each other and what type of data they are exposing or leaving behind. Perhaps they produce some type of report, and the report is just pending, out in the open, not secured with the rest of the hospital’s protected health information.

Some level of social engineering testing would enhance each scenario. For example, have someone call a colleague to see whether they can get credentials. Or perhaps see if that information can be obtained in an open conversation in a hospital’s hallway.

Pen testing can also serve as an official record for demonstrating risk management efforts to avoid revenue loss or legal consequences and reputational damage after a breach.

DISCOVER: How can healthcare benefit from cloud security posture management solutions.

Cybersecurity from Planning to Action

It is critical for healthcare organizations to regularly perform both tabletop exercises and pen testing to enhance their security posture so they are more familiar with how they will respond and recover from an emergency within an established time frame.

Tabletop exercises take into consideration several technology standards, and cybersecurity insurance carriers in the healthcare market are asking for such governance activities. The absence of regular testing, assessment and evaluation of security controls can result in insurance coverage denial, high deductibles or limited coverage at high premiums.

Also, more vendors are requiring their clients to fail over their production environment to a separate infrastructure, whether that is a data center or a cloud instance, and they're doing this to fully validate an organization’s recovery strategy in the event of an outage or cyberattack.

LEARN MORE: How can healthcare organizations create an effective incident response plan?

Establishing governance and technical committees will help drive a healthcare organization’s initiatives. Translate technical initiatives into business outcomes — especially important if you’re seeking board and C-suite approval.

Maintain a training program for your technical staff and the rest of your workforce so that they can continue being effective at keeping the organization safe.

Security partnerships can help healthcare providers better execute these initiatives. A partner can prioritize a security roadmap, validate a solution or provide the right resources.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.


Suebsiri/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.