Smaller healthcare organizations such as rural and community hospitals are seen as easy targets for bad actors due to their lack of cybersecurity resources. However, a successful ransomware attack can impact patient care, cost the organization millions and — in the worst cases — lead to the organization’s closure. That means that healthcare organizations cannot afford to be easy targets.
While getting hacked can sometimes be inevitable, healthcare organizations should take a proactive approach by hiring ethical hackers to find the holes in their networks before bad actors can exploit them. Also known as penetration testing, these exercises can help make organizations more secure and cyber resilient.
READ MORE: Purple team exercises can enhance healthcare threat management strategies.
What a Good Hacker Seeks
You can’t defend what you don’t know. Penetration testing can provide a wealth of information that could sometimes get overlooked by healthcare IT teams bogged down in the minutiae of everyday work. While a strong hospital network may have layers of protection, one or more of those layers can go down at any time.
Additionally, pen tests should not be one-time events. Cyber resilient healthcare organizations benefit from annual pen tests because technology is always changing, and solution providers are constantly releasing security patches. My cellphone has had three upgrades in the past three months alone; imagine what could be happening to your network. The fact is, with thousands of patches distributed each year, healthcare networks could have vulnerabilities that go unnoticed.
Click the banner below to learn why cyber resilience is essential to healthcare success.
Vulnerability Assessments Vs. Penetration Testing
There are multiple ways that healthcare organizations can work with a partner such as CDW to assess their networks. Through a vulnerability scan, we can use our industry knowledge to discuss common vulnerabilities that health systems face and suggest corrective action.
During penetration testing, we will send an engineer to test your network’s defenses. I always recommend that organizations do two types of penetration testing together: internal and external.
Unfortunately, people are often the weakest link in healthcare cybersecurity. End users could unknowingly click on a phishing link, or a disgruntled employee could download malware. In an internal pen test, engineers will attempt to exploit those vulnerabilities from inside your network. During an external pen test, we will try to break in from outside.
How Good Hackers Get into Healthcare Networks
A good hacker will look for missing patches, misconfigurations, weaknesses in a tool deployment or breaks in your firewall. They’ll also look for vulnerable connected devices that could give them access to other high-value systems on the same network.
In addition, they will look for administrator credentials on the web and may even resort to social engineering, attempting to get valuable information from someone at the organization with administrative access. Once hackers get into your network, they essentially have the keys to it and can move laterally inside to wreak havoc.
After a pen test, our engineers will give healthcare organizations detailed recommendations for every escalation or pivot so they can immediately address any vulnerabilities.
A Lack of Budget and In-House IT Staff Make Pen Testing Critical
One of the main reasons healthcare organizations, especially rural or community health systems, don’t do pen tests is budget. However, this is one of those investments that could end up saving you thousands or millions of dollars in the long run. It could even prevent a hospital closure. Even if a healthcare organization never pays a ransom, the process of cyber recovery can be expensive and often disrupts patient care. Even well-funded healthcare organizations with the latest security tools could be at risk.
Another challenge that healthcare organizations face is a lack of IT security staff. With remote work opening up the entire country to skilled IT workers, many healthcare organizations with lower budgets and fewer resources have a hard time attracting talented security staff.
Smaller healthcare organizations typically don’t have enough IT staff, let alone a budget sufficient to recruit IT security specialists. The fewer security staff members an organization has, the more critical it is to add pen testing as an annual line item in the budget. This routine testing could mean the difference between being an easy mark for a bad actor and being one that is too much trouble to hack.
UP NEXT: What is cyber resilience, and how should healthcare organizations approach it?