Penetration testing, or pentesting as it’s often called, is one of the fundamental building blocks for a cybersecurity program. Pentesting provides vital information about an organization’s cybersecurity posture and seeks to uncover previously undiscovered vulnerabilities. It also demonstrates the impact of previously known vulnerabilities for more accurate risk assessment. Unfortunately, according to a Ponemon survey, 89% of the organizations surveyed experienced a cyberattack in the past year and underwent roughly 43 attacks on average. That’s a lot of pressure added to healthcare IT teams that are stretched thin. As healthcare faces new attack vectors and threat actors continue looking for new ways to profit from their endeavors, cybersecurity teams should consider shaking up their pentesting to keep pace.
One of the first steps in expanding a pentest scope is considering how the output from the penetration test engagement will be utilized. Many healthcare organizations are moving away from an annual check-the-box approach to build more mature penetration programs focusing on remediation and adding context to other cyber programs. It’s not enough to identify risk areas; healthcare organizations should also work towards resolving issues. Proactively reducing risk will help to ensure a more robust and cost-effective cybersecurity practice. A pitfall to avoid post-pentest is not having a plan or resources ready. Remember, the hard part starts once the penetration report is delivered but being prepared can make it much easier.
Being proactive and engaged before, during, and after a pentest is a recipe for success. You should prepare well in advance for a pentesting engagement. Having the information and teams ready to go allows the engagement to occur with minimal impact on normal activities. It’s important to note that focus on the scope is vital during engagements; pentesting can negatively impact a network and services. But with proper planning, the risk of impacts on the network decreases significantly. When preparing Fortified Health Security clients for a penetration testing engagement, here are a few examples of things they are asked to do:
- Collect information about their network, such as where sensitive information and devices reside
- Have an updated list of IP ranges and virtual machines on standby
- Remain engaged and have assigned point people for the entire process
By doing these three things, organizations take a significant step forward in advancing their pentesting experience. The more time the penetration tester can spend evaluating the cybersecurity posture and interacting with your team on security issues rather than admin tasks, the better. Having an updated list of ranges and virtual machines on standby is a “big one,” as this activity can be a significant lift. Healthcare organizations often need to involve multiple departments as the resources often fall outside their own—a great example of why communication and assigning point people is another way to improve the experience.
Getting ready for the pentest is the first step in leveling your penetration program. To learn more about healthcare penetration programs, check out this on-demand presentation, “Getting the Most out of a Healthcare Penetration Test,” or contact us.