Cyber Security: When Prevention is better than the Cure

Patient data is incredibly lucrative as it provides one of the highest payoffs to hackers on the dark web and hence Healthcare systems would always remain favored targets. Continued underinvestment in cybersecurity for Healthcare systems is the number one reason attributed to the success of these attacks. Added to this, during the COVID-19 pandemic, cybercrime has risen by about 600%.

Hackers are using the panic-stricken mindset of the people as a golden opportunity to set up traps. It is high time that you get your healthcare application vulnerability and penetration tested by an expert like us to shield yourself in the best way possible.

Source: Health IT Security

The current state of healthcare cybersecurity:

• Very few healthcare providers in the US have fully functional security programs.
• Almost half of the current providers conceded that they are in the process of creating security programs or have not created one.
• 20% of the healthcare space emails were false in 2017.
• Healthcare has the most instances of ransomware assaults over any other industry.
• Healthcare applications were the target of the lion’s share of the total ransomware attacks in 2019.
• Most healthcare organizations concede that security would be a big concern in the coming years. Healthcare information breaches are costing US businesses $6.2 billion per year.
• The average toll of a cyber-assault on a healthcare system is estimated to be $3.62 million.
• Most healthcare providers had some part of their data misplaced or stolen within the past two years.
• Patient data can be sold for as much as $363 per record on the dark web which is more than any piece of data from any other industry. The value of medical records has declined a bit over the years because of the availability of too many of them but still maintain worth in the range of $50 to $400 per medical record depending on who the patient is, the diseases and drugs dealt in the record, the sum insured by the patient, etc.
• A majority of the healthcare organizations opined that employee negligence regarding patient data is the top vulnerability.
• One-fourth of the current functional healthcare organizations using public cloud services reported that they are not encrypting their data — during storage or during transmission.
• 69% of the healthcare providers agree on the fact that they are at the risk of encountering a cyber-attack.

Notable breaches, fines levied & impacts:

• Anthem data breach in 2015 — about 79 million health records were stolen. Recorded as one of the largest data breaches discovered, it caused HIPAA to levy a $16 million fine from Anthem.
• American Medical Collection Agency (AMCA) in 2019: Around 12 Healthcare entities tied up with the billing vendor reported that their customer data has been impacted. The total estimated number of affected records is now at 25 million and counting. AMCA’s parent company has since filed for bankruptcy and its clients have been indicted with several investigations and lawsuits.
• Insurance company Dominion National reported in April 2019, that its servers have been hacked for over nine years and over 2.9 million patient records had been exposed.

Payoda’s VAPT service aims to evaluate your IT platforms and identify the vulnerabilities especially those that fall under the HIPAA Security Rule Standard. The National Institute of Standards and Technology (NIST) has issued a recommendation to HIPAA that says, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities”.

It also emphasizes on the importance of documenting the observed deficiencies in a detailed manner and to include efficient and clear methods of remediation. GDPR also mandates some of the most stringent data protection policies that include, encryption of data, ensuring the network, the application code and the services processing the information are secure and reliant, ability to restore data availability and accessibility after an incident occurrence. We are aware of these regulations and intend to provide consistent and exemplary services in an effort to elevate your product.

Payoda’s testing experts have a wealth of experience in vulnerability and penetration testing of several web-based, desktop, mobile applications in the Healthcare and Finance domains. We employ several renowned methods of Architecture Review, Threat Modeling, Source Code Review, and Automated Scanning to find out possible vulnerabilities. We deploy our Red Teams to perform Dynamic Application Penetration Testing using a variety of tools and methods to simulate attacks and test the strength of the application. We provide in-depth and top quality documentation that meets industry and compliance requirements. We also perform scenario-based testing to assess contextual threats.

We do not just provide the list of vulnerabilities and sit back but we work together with you, on a SaaS-based engagement model to get them all fixed and persist until the application becomes flawless and robust. We provide continued support to test your application’s security controls as new modules get built-in and provide periodical reports as HIPAA requires evaluations to be done on a regular basis. We essentially aim to build, establish, and maintain a security testing practice for our clients for all their existing and future projects.

Author: Mohan Bharathi