If you’re reading this article, you probably know of Keyqo Security. If you don’t, we offer IT services to healthcare providers of all shapes and sizes. And like it says in our name, we specialize in the security side of IT. Security design and architecture, consulting and vCISO services, all the fun stuff! One of our most popular services is something called a “penetration test”. “But”, we hear you asking, “what exactly is a penetration test? Why would I as a practice owner want one or care about one?” Penetration tests are possibly the single most valuable security tool a practice owner can have in their arsenal. However, not many people see the value of one. That is, until their practice gets hacked and the forensic report shows that the practice owner could have easily prevented the breach, if only they knew how! And we all want to keep from being hacked, don’t we? So in this article, we’ll give a quick summary of penetration tests and why you need one.
What’s a Penetration Test?
At its core, a penetration test simulates a hacker’s attack. Penetration testers (AKA “pentesters” or “white hat hackers”) take the role of a bad guy, your everyday cybercriminal. They examine the target’s IT infrastructure for weaknesses (called “vulnerabilities” or “findings”) and try to take advantage of (“exploit”) them. Upon a successful exploitation attempt (a “compromise”), the penetration tester will generate a report with a full listing of findings and ways to fix said findings (“remediation steps”). They’ll provide that report to you, and your IT team will then need to fix each finding or otherwise address it. The pentester can also remediate each finding themselves, but that raises concerns regarding impartiality and most pentesters don’t recommend it. Upon your IT team stating they’ve addressed all findings, the pentester will test for each finding to ensure the fix worked. The remediation/fix/test cycle will continue until all findings have been addressed.
Types of Penetration Tests
Penetration tests can take one of three forms:
In this form of test, the pentester will have access to all parts of your IT infrastructure, including source code and internal documents. These tests provide the deepest insight into the security of your network, as the pentester can see and try to exploit everything. However, this option costs the most and takes the most time. The more the pentester has to review and test, the more time they’ll need to complete their assessment. If they charge hourly, more hours means higher costs.
In this form of test, the pentester won’t have access to anything that isn’t already publicly-available. You won’t give them anything more than your target info, and they take care of the rest. This naturally means that the pentester may not discover every possible weakness. However, this option mirrors the perspective and methodology of a real-world attacker the most, making this the most “realistic” and immediately useful of the tests.
In this form of test, the pentester has access to some proprietary knowledge of their target, but not everything. This test falls somewhere between white-hat and black-hat tests; clients who use this generally want deep dives into one or two mission-critical applications, but don’t want a hardcore analysis of everything. These offer a great blend between thoroughness and realism.
Obviously, the quality of the penetration tests don’t differ based on the type you prefer, just the information you provide to the pentester.
The Penetration Test Process
As we state on our Security Consulting Services page, we follow a five-step process in all tests:
Define the scope of engagement
The pentester will discuss the scope and type of the test, as well as answer some important questions. What IT resources will they test? What information will they have access to? What’s the end goal of this penetration test – at what point does the pentester “win”? Do you want a social engineering attack or a physical penetration component done as well?
Conduct the penetration test
The pentester will actually begin the test as per the agreed-upon statement of work from step #1. The pentester will follow best practices to attack your IT resources and do their best to compromise your network. This will include a blend of public and custom security tools, exploits, and techniques.
Report on our findings
The pentester will give you a custom report showing all things we tried, whether they succeeded or failed, and ways to fix any issues the pentester noted. The report will prioritize each finding by total impact, scored from “critical”, “high”, “medium”, “low”, down to “informational”.
Remediate all findings
Your IT team will fix all issues the penetration test found, or judge them not worth fixing.
Test the fixes
The pentester will take the remediation done in step #4 and re-test each finding. If your team fixed the finding, the pentester will note that. If not, they’ll note that too, and everyone will repeat steps #4 and #5 until your IT team addresses everything to your satisfaction.
Why Do I Need a Penetration Test?
We believe every business should have penetration tests done on their IT systems quarterly. Why, you may ask? Read on:
It’s recommended by HIPAA and required by NIST
While HIPAA does not specifically require you get a penetration test done, HIPAA does require you to conduct a risk analysis. This analysis should summarize all risks and vulnerabilities related to any sort of protected health information (PHI) you “create, receive, maintain, or transmit”. How can you do so without knowing what weaknesses you have, or what you have that works? That’s where penetration tests can help. Additionally, NIST Control CA-8 actually mandates the use of an independent/third-party organization for all penetration testing assessments. In order to remain compliant with HIPAA and NIST, you must have at least one penetration test a year. Otherwise, if you get breached, you could face the threat of legal action or multi-million-dollar fines that could very well bankrupt you and your practice.
It shows you areas you need to fix before cybercriminals do
A quality penetration test can find most major vulnerabilities present in your IT infrastructure. Since a huge portion of the penetration test revolves around reporting and remediation, you’ll know exactly what doesn’t work and how to fix it. Compare that to finding out those weaknesses after your practice gets hit by ransomware or data theft. What would you prefer?
It tells you what areas of IT security to invest in
Does your report show multiple information disclosure vulnerabilities? Then fix how data gets disclosed to your users and outsiders! Seeing a lot of SQL injection vulnerabilities? Invest in securing your databases and the data stored in them. The pentester effortlessly bypassed your firewalls? Get better ones! Pentesters don’t want you to get hacked; that’s the point of the report. We’ll tell you where your weaknesses lie, so you can fix them before the bad guys exploit them.
It saves you money
Would you rather pay a few thousand dollars for a penetration test? Or would you rather pay a multi-million-dollar fine because you didn’t want to spend the time and money to discover your IT weaknesses beforehand?
All Healthcare Practices Should Get a Penetration Test ASAP
Just like regular physicals help you find and treat health issues quickly, penetration tests provide some of the clearest insights into the health of your practice’s IT infrastructure. They help you find your security weaknesses before the bad guys do, at a fraction of the costs of dealing a breach. Like the saying goes, “an ounce of prevention is worth a pound of cure”. Don’t pay for that pound of cure if you can help it.
If you care about securing your practice and patient data, penetration tests are just what the doctor ordered!
Interested in getting a penetration test done for your practice’s IT infrastructure? Get in touch with our expert security consulting team, and let us handle the heavy lifting.