Pen Testing Data Highlights Gaps in Healthcare Cybersecurity

September 16, 2022 - Penetration (“Pen”) testing is a key tool in maintaining healthcare cybersecurity and identifying potential security gaps and vulnerabilities before threat actors can. Security firm Coalfire found that while healthcare is slowly moving away from its reliance on legacy systems, unpatched and out-of-date software continues to cause security issues.

Coalfire analyzed the results of 3,100 pen tests conducted on behalf of its clients to draw insights about top cybersecurity risks. Additionally, the firm engaged NowSecure to provide additional insights about mobile apps. The report included findings from a variety of industries, including healthcare.

Researchers found that legacy systems in healthcare “conflict with more advanced platform-enabled environments.”

“Dispersed locations and expensive-to-replace medical equipment further complicate the situation,” the report stated.

Based on Coalfire’s findings, the firm recommended that healthcare organizations conduct real-time pen testing and strive for continuous compliance monitoring, even within legacy systems.

Legacy medical devices have also long been a source of stress for security professionals in healthcare. The Federal Bureau of Investigation (FBI) recently released a notice outlining the security and patient safety risks associated with legacy medical devices and urged the healthcare sector to take action.

The FBI emphasized the need for asset management, employee training, and endpoint protection to mitigate risk.

Among all sectors, Coalfire found that security misconfigurations topped the list of leading application vulnerabilities, most likely because “it serves as a catch-all bucket for issues related to application and network configuration.”

The year-over-year consistency with security misconfigurations, as exemplified in past reports, suggested to researchers that organizations are struggling with asset inventories, cyber hygiene, and using legacy systems that drive multiple vulnerabilities.

On a brighter note, the data showed that for the first time in recent years, most companies were not fully compromised by social engineering tests. While 90 percent of tested organizations were compromised in the 2020 report, only 45 percent met the same fate in 2022.

When it came to attack vectors, researchers noted the prevalence of unassuming internal threats.

“For most organizations, their external network is hard on the outside, but underneath is a vulnerable attack surface that faces a tapestry of open-source tools and applications, unintentionally exposed code, more sophisticated and motivated cybercriminals, and nation-state threats,” the report stated.

“Once that thin external layer is compromised, exploiting underlying weaknesses can be deceptively easy. Upon exploitation, attackers can move laterally inside the organization, quickly finding completely new attack paths and social engineering opportunities.”

Although internal threat risks have dipped in recent years according to Coalfire’s reporting, researchers suggested that more work needs to be done to truly reduce risk. Artificial intelligence-driven (AI) security solutions, continuous integration (CI) and continuous deployment (CD) pipelines, and zero trust security strategies may help organizations manage risk as the attack surface continues to expand.

“Continue shifting to a multifaceted defense-in-depth strategy that encompasses various layers of controls to prevent, detect, and limit the attacker’s blast radius,” the report advised.

“A defense-in-depth strategy – which includes ongoing testing to identify likely weaknesses based on risk management priorities specific to your organization – also anticipates detection and remediation measures during actual attacks.”