Meditology Services, a professional services company specializing in IT solutions for healthcare organizations, announced new research based on a two year study from 2013-2015. As a follow up to this research endeavor, Meditology has released a white paper focused on ethical hacking, also known as penetration testing, and why it is a very effective way to test the security of healthcare information systems.
The paper, “Hacking Healthcare: Real-world Healthcare Security Exposures from Penetration Tests,” drives an increased awareness of the need for the healthcare industry to harden systems against both external and internal threats. The paper also helps healthcare organizations understand how to take a proactive security stance based on the concepts, methodology, approaches, and a description of various real-world penetration testing and related results.
According to the Ponemon Institute, criminal attacks on healthcare organizations have increased 100 percent since 2010 and represent the highest per-record cost to companies across industries.
Anatomy of a Penetration Test
Depending on the organization’s size and complexity, thorough penetration testing can take weeks to carry out and involves reconnaissance, surveying, testing and reporting to produce a final analysis across exposure areas. The paper outlines the top 10 hacking exposure areas based on the results of testing including physical security, phishing, medical devices, passwords and more. Both internal and external tests must be considered to address the full range of attack vectors.
“Hackers have expanded focus from technical vulnerabilities in public facing applications and networks to sophisticated social engineering and phishing attacks that psychologically manipulate people into divulging information,” Selfridge continues. “Medical devices also present an increasingly popular access point as they are configurable, and interconnected.”
Regular penetration testing is essential for organizations to identify weaknesses and gain the support they need to prevent data breaches. Domain expertise in the healthcare industry should be a top requirement when engaging a security firm to conduct penetration testing as patient safety, unique application issues, and specific regulatory requirements create a complex landscape that is different from other industries.
The following list is the top 10 most common security exposure areas that Meditology has observed from penetration tests of healthcare organizations across the country from the period of 2013 through 2015
1. Weak & Easily Guessable Passwords
2. Plain-text Credentials
3. Missing Critical Security Patches/Outdated OS’s
4. Weak Database Administrative Passwords
5. Generic or Default Accounts & Passwords
6. Network Shares with Improper Access Controls
7. Unauthenticated VNC Remote System Access
8. Insecure File Transfer Protocol (FTP)
9. Physical Security Gaps
10. Social Engineering Weaknesses