Healthcare providers need hackers’ perspective on vulnerabilities

Many healthcare organizations have an employee fully or partially responsible for overseeing data security protection.

Small organizations may have a person with some level of cyber experience who gets the job, but it rarely is on a full-time basis. Larger providers may have several persons protecting the enterprise with tasks such as doing penetration tests and automated scans, educating employees about cyber security. They’re likely working under the supervision of a chief information security officer and that’s a pretty good situation, says Wesley McGrew, a computer scientist and ethical hacker at HORNE Cyber, a cybersecurity service.

McGrew-Wesley-CROP.jpg
Wesley McGrew

But it won’t be good enough because the hackers are better.

The goal for providers should be to identify vulnerabilities that would be an entry for an attack and fix what can be fixed—but even that still won’t be enough, McGrew contends.

“You can spend money on defense, but if there are any errors, attackers will take advantage of them, so (healthcare organizations should) use real hackers. We’ll find dozens of vulnerabilities and focus on those that will hurt the most, like causing downtime, regulatory fines and loss of reputation. You need a third party with expertise to identify vulnerabilities, because it’s hard to check your own work for accuracy. This can’t be a part-time job.”

To educate organizations, HORNE Cyber and other security firms have products that simulate ransom attacks, showing what the ransomware is producing and distributing throughout the organization, and what the impact would be to the organization if it is attacked. “This helps providers see how they are being infected and what types of data are being encrypted,” McGrew says.

For reprint and licensing requests for this article, click here.