Putting Patient Security First: Vulnerability Assessments for Healthcare Organizations

As a healthcare organization, you already know to put patients first. Over recent years, healthcare organizations have been targeted more and more frequently by cyber criminals. This has resulted in large scale data breaches and in disruptions in patient care that have even proved fatal. The pandemic has increased the use of telemedicine, and thus the amount of personal data being transferred over the internet to patients' homes and other locations. The Internet of Things promises great increases in patient safety and in the efficiency of how hospitals and institutions are operated.

In other words, it has never been more important to ensure that your healthcare organization protects the security of your patients and the overall security of your networks and technology. Furthermore, you need to keep in mind the specific needs of the industry. In the past, institutions and providers have focused primarily on HIPAA compliance, but now you need to move past that and into an environment where patient security is a key priority.

What is a Vulnerability Assessment?

A vulnerability assessment is not the same thing as an audit. It is, instead, a comprehensive assessment of all of a system's vulnerabilities. This has a number of steps:

  1. Identify all of the organization's assets. This includes things like personal devices and smart medical devices (anything that connects to the network is potentially vulnerable to a cyber attack. Work with your clinical engineering team.
  2. Inventory the assets to assess how they are used. For example, a doctor's phone that he uses primarily to text his coworkers may be less of a priority than the network routers that transfer data from smart devices to the main network.
  3. Prioritize assets that contain sensitive data. Compliance requires that you treat personally identifiable information, protected health information, and financial information such as credit card data.
  4. Assess the weaknesses of each asset.
  5. Rank them so that you can fix the largest problems first.
  6. Track and prioritize remediation.

Vulnerabilities fall into four different categories: Human error, system changes, configuration errors, and software. When prioritizing remediation, it's often easiest to start with the most common problems such as unpatched operating systems or poorly chosen passwords.

Why are Vulnerability Assessments Important in Healthcare?

Healthcare providers have a particular need for these kinds of assessments for two main reasons.

The first, of course, is the large amounts of sensitive data healthcare organizations handle. A breach can be significant, and damages to systems (or incorrect information) can endanger patients.

The second is that healthcare organizations tend to have a bit of a patchwork approach to IT, with legacy systems sitting under more modern EHR systems that clinical staff are not always trained to use. It's important to do a vulnerability assessment any time you do a major update and to look towards retiring unused legacy systems that can sometimes leave back doors into your system.

Best Practices for Vulnerability Assessments

The overall process of a vulnerability assessment for healthcare has already been discussed. For HIPAA compliance, technical issues tend to get most of the focus, however it is vital for the assessment to cover non-technical vulnerabilities.

Because of this, semi-automated scans are only part of the picture, albeit vital for a proper HIPAA cyber security risk assessment as they perform tedious tasks that would take too long if done by a human. The testing process should also cover employee training. Best practices include ensuring that all vulnerabilities are properly detailed, as well as including recommendations for remediation and long-term security measures.

For the organization, it's important to get out of the way of the security assessor and let them do their job. One issue is that sometimes providers will insist that the assessor focus on a checklist of what they think is important. This hampers the tester in properly doing the job. Instead, you should make sure that the person you hire is familiar with healthcare and understands your business logic and where it might differ from that of similar organizations.

What about Penetration Testing?

There's often a lot of talk about penetration testing. Penetration testing may be paired with a vulnerability assessment, but is not quite the same thing.

During a penetration test, the tester will pretend to be a criminal and launch various attacks on your systems to see where they can get in. This includes both external tests (from outside the network) and internal (to represent the risk from, for example, disgruntled employees trying to do damage on their way out).

A penetration test is, though, a very specific thing. Generally, you are checking a particular system or attack vector. This might be, for example, having a tester try to brute force passwords, or check the firewall for ports which have been left open.

Penetration testing is, in fact, something you might do after a vulnerability assessment. The overall assessment reveals where you might have a weakness, and the penetration testing determines the extent of the weakness and helps determine how best to fix it. Another issue with penetration testing is that the hacker has to be given explicit permission for every attack they make, for legal reasons. This protects the tester from liability. You should also make sure that the tester knows that some systems, such as medical devices, should not be altered, but that the tester should stop on access and report immediately.

When you have a vulnerability assessment performed, it may well include some penetration testing. However, the two are not the same thing and serve different purposes.

Having a vulnerability assessment is a key part of developing an improved cyber security strategy to protect your patients and their personal information. As a side effect, it also helps protect employee personal information that might be on file. GreyCastle Security provides vulnerability assessments for healthcare organizations. We have the specialist industry experience you need to help ensure that the assessment is done properly, compliance rules are met, and that your patients are properly protected.

To find out more about how we can help you protect your patients from the growing threat of cyber attacks, contact GreyCastle Security today.