An audit by the HHS Office of Inspector General examined how a large Southeastern hospital protected its systems against cyberattacks by reviewing security policies and controls and by commissioning independent technical testing.
BreakPoint Labs conducted external penetration testing and vulnerability assessments on four internet-facing web applications and ran a phishing simulation between August and September 2022. Most simulated attacks were blocked or detected, but testing also exposed two meaningful gaps.
First, one internet-accessible application used for account management did not have sufficiently strong user identification and authentication controls, including the lack of multi-factor authentication, so a phished username and password could be used to access the application and take actions that should have required stronger verification.
Second, another internet-facing web application contained an input-validation weakness that created an injection-style risk, and the application was not protected by a web application firewall; the weakness stemmed from a vendor update that was not caught by the organization’s pre-production security testing. During the phishing exercise, 2,171 test emails were sent; the last 500 were blocked, and among the first 1,671 messages, 108 users clicked the link and one user entered credentials that the testers captured and later used.
BreakPoint Labs tested the hospital the same way a real attacker would, from the outside, using only what is exposed to the public internet. The internet-facing label means the systems can be reached without being on the hospital’s internal network, like a patient portal, a login page, or an online account tool. The team used three complementary methods.
External penetration testing is the hands-on part where ethical hackers try to break in by chaining small weaknesses together, proving what is actually possible. Vulnerability scanning is the wide-net part. Automated tools check the exposed systems for known weaknesses, risky settings, and outdated components that commonly get exploited.
Phishing simulation tests staff who receive realistic fake emails to see who clicks, who enters credentials, and whether security controls block or detect the attempt. Each method answers a different question: “Can someone get in?” “What obvious doors are unlocked?”, and “Will a believable email get a foothold?”
According to a Gov Info Security article on the topic, “Even organizations with generally strong cybersecurity programs may still have weaknesses.” Patient portals attract attackers because they are public-facing web applications with logins, sessions, and sensitive records sitting behind a small number of controls. The OIG audit shows how quickly that exposure can turn into access when BreakPoint Labs captured a user’s credentials in a phishing test and then used them against an internet-accessible account management application that did not require multi-factor authentication.
Reporting on the ManageMyHealth incident shows the same basic pattern in plain language, with attackers described as getting in using a valid password. Email can outperform portals in that specific risk model because it reduces how much custom web application surface the provider exposes to the public internet and shifts more protection to the identity layer that patients already use.
A portal concentrates risk in one always-on site, so a missed MFA requirement, a weak session flow, or a bad vendor update can become a direct compromise path. Secure email workflows with the right HIPAA compliant email solution, as Paubox handled properly, avoid forcing every patient into a separate login experience for routine communication, and instead rely on hardened mailbox controls.
External testing starts from outside the organization and targets systems reachable from the internet, which mirrors how many real attacks begin.
Internet-facing means a system can be reached from the public internet, such as portals, login pages, and web apps that do not require an internal network connection.
Pen testing reduces unknowns and finds gaps, but security also depends on fixing issues, preventing regressions, and continuously monitoring for new exposures.