The intent of penetration testing is to discover weaknesses in an information system. As with almost all knowledge, it can be used for good or bad.
In the security industry, we have to be able to think like the bad guys, but always remember we are the good guys. In this case we use penetration testing to discover possible vulnerabilities in the information system and then try to exploit them to see what countermeasures need to be put into place.
The Health Insurance Portability and Accountability Act of 1996, requires that we protect patient data. However, it really doesn’t tell us how to accomplish that. It is up to the Healthcare Information Technology Specialist to decide on and to implement a viable solution.
Types of Penetration Testing
If you ask most people what they think penetration testing is, they will say it is a method of scanning a computer or network system to validate its security. And they will be correct, in a limited way. The reality is that penetration testing can encompass three different methods.
This is what most people envision as penetration testing, the intrepid tester rooting out all of the weaknesses of their targeted information system. This is accomplished by using tools such as NMap, Nessus and Metasploit to identify and exploit any weakness of potential weakness.
But penetration testing encompasses much more…
Physical security is as important to the overall security of your medical practice and is information security. After all, why attack the network when you can easily get the information you need by walking in the door of the clinic or searching through the clinic’s garbage? I once did a Security Analysis for a company, here in San Antonio, and was able to walk around the company’s building and grounds for about two hours before someone asked me what I was doing. I had strayed into a hard hat area.
Physical security is extremely important in the healthcare industry.
Operational Security is how you run and manage your medical practice to enhance or ignore how operations affect the security of your patient’s personal information. What you do in the normal day-to-day business cycle greatly affects security. The penetration testers may try to insert himself into this process to gain protected information which could be used to penetrate the physical and/or the information security of the practice. Generally, this is accomplished by the practice called Social Engineering.
The process of performing a penetration test is sometime called the Kill chain and involves the following.
As in the military, the penetration tester must gather information about their target. The better and more detailed the information; the more likely that the attack will be successful. This is called also called fingerprinting.
After fingerprinting the systems, the penetration tester finds and exploits vulnerabilities to gain access or control of the system.
Once the penetration tester has gained control or compromised any one aspect of the system, they then move laterally into other parts of the system. Extending their control.
Finally, at the end of the test, the penetration tester reports to management on the results.
Rules of Engagement
In this scenario, the penetration tester has no knowledge of the targeted medical practice and must discover enough to compromise the system.
Here, the penetration tester has some knowledge about the medical practice, but must discover what is needed to compromise the system.
In a full knowledge situation, the penetration tester has intimate knowledge of the system.
In all of these cases, the penetration tester should obtain the explicit permission of the medical practice’s management. Penetration testing does carry a significant level of potential harm to the network and clinic. In certain circumstances, it may actually be illegal.
Clinic management and the penetration tester should agree on the objectives and level of acceptable risk before the penetration tester begins project.
It is also critical to define the timing and scope of the test.
Ideally, the penetration tester should time his attack to coincide with the tactics used by real black-hat hackers. If your target attackers attack at night, then that’s when you should do your test.
Also, testing during normal hours may lead to performance issues that could affect normal business.
Management and the penetration tester must agree on what the test is to accomplish. What is in scope and what is out of scope should be defined and written down for the protection of both parties.
Authorization & Communication
After all of the above has been defined and agreed to, the penetration tester should have a document signed by the medical practice’s management defining the parameters of the penetration test. This protects both the tester and the clinic.
Finally, after completing the penetration test, a detailed report should be created by the penetration tester. Ideally, this report will detail all vulnerabilities and exploits. A good report will also give recommendations to mitigate any potential exploits.
This report will become the working document for the mitigation efforts of the clinic’s information technology department.
If you would like to know if your medical practice is secure, contact us. We offer basic penetration testing and rick assessments.