Healthcare continues to be the most targeted industry for cyberattacks, and that number continues to trend upwards in the midst of the coronavirus pandemic ( Health IT Security ). SEE ALSO: Healthcare Data Breaches – A Haunting Reality Many healthcare organizations are beginning to take cybersecurity much more seriously. Unfortunately, it still may not be enough. SEE ALSO: Universal Health Services Is the Target of One of the Largest Medical Cyberattacks in History Another tactic that providers can take to secure their networks is to conduct penetration testing.
DefinitionPenetration testing (also shortened as pen testing) is a preventative security measure to expose vulnerabilities in computer networks and data by simulating a cyberattack. A company requests ethical hackers or cybersecurity experts to perform a planned “attack” in order to identify any weak points in its security system. Upon conclusion, a business is armed with useful information to strengthen its defenses against cybercriminals.
Is pen testing critical for healthcare?Absolutely! According to Health IT Security , protected health information (PHI) is the most targeted type of data by cybercriminals because it often contains valuable data such as bank account information. It is often leveraged in ransomware attacks. SEE ALSO: Cybercriminals are Adapting Ransomware Strategies to Exploit the Current Crisis Penetration tests can help you achieve HIPAA compliance by identifying any points where unauthorized parties could access data. In fact, pen testing covers the technical evaluation requirement for HIPAA administrative safeguards .
How are pen tests conducted?The first step before running a pen test is to establish a goal for the test. Of course, the primary goal is to expose security vulnerabilities, but more specific objectives may exist depending on the organization’s needs ( Core Security ). For example, a hospital may want to test if certain databases or data points can be targeted. Once a goal is established, a tester may be granted either full or limited access to system information. The amount of data a tester is given largely depends on the organization’s goal. White box testing , also known as internal testing, is when a tester acts as an employee or authorized user to perform a pen test. This supplies the tester with detail and insight into weak points and vulnerabilities. A white box approach can also reveal how employees may intentionally or unintentionally exploit PHI and other sensitive data. SEE ALSO: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance Black box testing (external testing) gives as little information as possible to most closely resemble a real cyberattack. The tester performs the pen test from an outsider’s perspective. Gray box testing falls somewhere between the white box and black box approaches. This can be useful if an organization wants to measure or control the level of permission users have.
What are the different types of tests?A variety of pen tests exist to discover weak points with different techniques on various platforms. PurpleSec recognizes 6 types of pen tests:
- Network Services: This test is the most common and identifies vulnerabilities in the network infrastructure (servers, firewalls, routers, etc).
- Web Application: A more complex test, experts evaluate web apps, browsers, and associated software and plugins.
- Client-Side: This test involves client-facing programs and software including email clients, web browsers, and programs such as Microsoft Office or Adobe Photoshop.
- Wireless: Devices that are connected to a common network (phones, laptops, printers, etc) are targeted to examine any connection vulnerabilities.
- Social Engineering: This test highlights any phishing and other fraudulent/trust-based cyberattacks.
- Physical Penetration Testing: Often overlooked, a tester attempts to gain physical entry into a data center such as a server room or file storage.
How often should organizations conduct pen tests?Redscan recommends testing annually at a minimum, but there are other situations that warrant a test, including:
- Infrastructural changes
- Mergers & acquisitions
- Launching new products or services
- Maintaining/updating a system for compliance
Try Paubox Email Suite Premium for FREE today.