Tag: Hipaa

  • Why We Always Harp on Healthcare

    Over the years, we’ve posted several times about the need for pentesting and a focus on security in the healthcare industry. Healthcare security may start with HIPAA regulations, but, in the end, it all comes down to protecting patients and the healthcare workers – from doctors to nurses to insurance offices, administrative staff, and everyone else who gives their all so that you and your family members are safe to focus on healing.

    Getting Better, But There’s More to Do

    Years ago, when I was still on the pentest team at Raxis, I recall walking through hospital patient floors during physical social engineering engagements. I’d put on the scrubs that I bought at Walmart, and even though they often didn’t match the scrubs the other nurses and doctors wore, I never got stopped while wearing them.

    I took papers off printers (to photograph for my report and return) and sat down at computer workstations to learn the software available since the systems weren’t locked. I walked through all levels of the hospital that were in scope for the test, using elevators and stairwells without finding a locked door and without being questioned.

    In this short video, Raxis CEO Mark Puckett speaks about healthcare pentests he’s performed in the past and how the vulnerabilities we find concern us all.

    More recently we’ve found hospitals more likely to automatically lock workstations, but with the shortage of healthcare workers and no short-supply of emergency situations, we want to give the healthcare industry every possible advantage to stay secure.

    STILL MORE TO DO

    Just as hackers are constantly changing and discovering new ways to attack, Raxis also changes in order to keep our customers secure in this ever-changing environment. We offer several options for the healthcare industry, and we created our newest option, PTaaS (Penetration Testing as a Service), in order to help our customers who have their eye on the strongest security possible today.

  • Rising Above The Minimum Cyber Security

    Cyber attacks on the rise

    With the end of each year there are blog posts and articles suggesting the next year will be worse than the previous when it comes to cyber security. Whether those predictions are true or not, one thing is sure – IT Security is a top concern for most network administrators – and it’s a concern that’s only likely to get bigger.

    2016 saw a rise in ransomware and other malware attacks (FBI This Week – March 2016). We also saw insinuations of foreign governments leveraging their way into critical data (DNC & FDIC were two stories of 2016 that suspected international hacking as the culprit) .Companies large and small alike were crippled by cyber attack.

    What’s at risk

    A successful cyber attack can not only damage a company but also could impact business continuity to such a point that the business could not recover. There are ancillary impacts to be considered aside from the critical loss or compromise of data – down time, recovery cost, reputation damage, fees for providing identity theft protection for customers, and possible litigation are just a handful of hurdles an attacked company can face.

    PCI & HIPAA regulations

    Many companies and organizations look to guidelines such as PCI and HIPAA as a security framework, but the reality is these guidelines are best considered as a baseline and the MINIMUM a company should be doing. The proactive company is looking for strategies to safeguard their networks, apps, and APIs with as much fortitude as possible. Operationally, this translates to running in-house scans, delivering constant awareness training, and consistently leveraging the value of penetration tests. The responsible company is also hiring outside experts to attempt network, physical and social penetrations in addition to the in-house testing. The goal should be to ascertain exposures and remediate them to drive the improvement of the organization’s security posture.

    The cybersecurity risks are real

    Even with the best of intentions, shortfalls occur. Systems don’t always get patched and are often prone to insecure configurations. With the rise of social engineering as an attack vector, employees are often the weakest link (unintended of course). Threats are limited only by an attacker’s creativity, and it is impossible to predict all threat vectors. A realistic attack by a skilled adversary is the best way to understand the mindset of the attacker and gain an understanding of how your systems may be vulnerable to compromise.Nothing beats an outside set of eyes testing your defenses. Cyber attacks are on the rise, and companies have never had more to lose. With so much on the line, now is not the time to be looking at average security measures. What steps will you take in 2017 to improve your security posture?