That thumping sound is the drumbeat of healthcare cybersecurity news stories. Ransomware, malware, spyware, records theft, covered entities, breaches. Suddenly hospital board members are asking questions about cybersecurity preparedness. That's healthy.
When the board starts knocking, well-meaning CISOs and security teams spring into action, ordering up assessments and other services from a growing cottage industry of third-party security consultants. That's healthy too — healthcare is one of many industries that needs an ecosystem of support around security activities.
The best assessments are sound, complete, and actionable. The worst ones ain't.
Given a statement of work from a third-party assessor, how can you tell whether it's sound, complete, and actionable? That's for a forthcoming post. This post is about one kind of unhelpful assessment: the kind that's only a penetration test.
Pen Testing Alone Misses the Mark in Healthcare
Unless your board has some serious security experience, it's easy to placate them by showing them that you've hired a name-brand firm to conduct a penetration test. The sky's the limit when it comes to paying a team of überhackers to produce a lengthy report. But are you better off afterward?
There are three key reasons penetration testing alone is less useful in healthcare than in other industries.
Reason #1: Asset Diversity
Penetration tests work best when the client can generalize the results — when infiltrating one system teaches you lessons that you can apply to all of your systems. For example, pen-testing the operating system image you deploy to all of your workstations or servers is a great use of resources. Fix that system image and you've eliminated a huge portion of your attack surface.
But healthcare isn't delivered from a fleet of identical workstations. Clinical environments contain every kind of computing device, from cheap sensors to million-dollar C-arms. It's not uncommon for a single hospital's network to contain 1,000 or more unique device types. Penetrate one type of device and you've assessed... 0.1%. Pay the wizards to penetrate a hundred device types — which they'll happily do for a price — and you've assessed... 10%. Not enough zeroes before that decimal point.
Reason #2: Legacy Devices
Not only do assets have different types, but they also have different vintages in a real clinical setting. Unfortunately, software doesn't age gracefully. Pen-test a medical device based on an old operating system and you'll see vulnerabilities that you vaguely remember reading about years ago. Remember Conficker? Yep, it's still a threat in healthcare. Pen-test only the newer models and you'll miss the vulnerabilities afflicting the older ones.
If you pay a consultant to rehash years-old exploits or the pen test is so narrowly focused that you miss huge swaths of aging devices, you're not using your money efficiently and your risk assessments will be out of whack. Worse, you won't be able to take actions that meaningfully improve your security posture.
Reason #3: Tied Hands
Penetration tests often reveal vulnerabilities in medical devices to the hospitals that operate those devices. But a common refrain among manufacturers is that customers are not meant to apply operating system updates or otherwise change device software. What is a healthcare provider to do when they learn about vulnerabilities they've been told not to take action to remediate? Or when they learn of design flaws, such as a poor selection of encryption ciphers, during a pen test, how can they prioritize engaging with the manufacturer — especially when there are bigger fish to fry?
If you find yourself saying "yes, we know" more than a few times to a pen tester's findings, you're probably experiencing some degree of the tied-hands problem.
Bonus Reason: Vanishing Perimeters
Devices come and go (ideally not with PHI). Clinicians returning home from conferences with unreported $4,999.99 clinical devices, lax vendors setting up new systems on the "Hospital-Guest" wifi at 4:50pm on a Friday, bored patients with a technological bent — all of these happen. Take-home devices smudge the "perimeter" over to poorly secured home networks. Cloud services might not be reachable from every vantage point. All of these realities make it harder to reason about security based on a penetration test.
If Not Pen Testing, Then What?
Not not pen testing. Yes to pen testing done well. Penetration testing is appropriate, but it's not a panacea. If you engage with a consultant that offers security assessment and pen testing, here are some useful questions to ask them:
- Will you give us an accurate inventory of our systems, even the ones you don't single out for extra scrutiny?
- What is your plan to relate security to patient safety? Will you help us establish a set of priorities that align with our commitment to patient care?
- How will you ensure that the clinical side of the organization — clinical engineers, biomeds, patient care staff — will understand the assessment and be able to put it in context?
A forthcoming blog post will go into more detail about productive, whole-team relationships that can put assessments into action. Subscribe to this blog for email updates when new posts appear, and join our announcements list to periodically see what we're up to.