As an avid soccer fan, player, and coach, I have heard the phrase “the best defense is a good offense” many times. As a cybersecurity professional, I can relate to the idea of taking proactive steps to improve my team's position. However, cybersecurity programs within and outside of the healthcare industry typically focus on a reactive approach.
The risks in the healthcare industry are too great to wait for hackers to attack organizations, while the scale and scope of cyberattacks continues to grow: in 2023, there will be more than 700 healthcare data breaches in the United States, affecting 133 million people.
The underutilized concept of offensive cybersecurity offers practical solutions if healthcare organizations understand and adopt this approach.
- What does offensive cybersecurity involve?
Offensive cybersecurity, a specialty under the cybersecurity umbrella, is used by organizations to look for vulnerabilities in their systems before cyber threats can exploit them. These various probing and testing methods mimic the ways that real malicious actors would compromise an organization.
Vulnerability assessment is a type of offensive cybersecurity testing that helps organizations identify weaknesses that could be exploited by attackers. To perform these tests, organizations use scanning software and services to assess how well their assets perform against known security vulnerabilities. Considered a layer above vulnerability assessment, penetration testing (also known as “pen testing”) can determine the extent to which discovered vulnerabilities, such as weak encryption or missing patches, can be exploited and demonstrate the impact of these weaknesses if exploited by an attacker.
“Red teaming” is another type of offensive cyber security and ranks as the most complex of these methods. “Red teaming” is an internal offensive cyber security group that simulates as realistic an adversary as possible by attempting to avoid detecting and attacking an organization's network and systems. This tests not only the security posture of the network itself, but also the vigilance of other security personnel within the organization.
What does this vigilance look like in healthcare settings?
For example, let's say Dr. Smith works at a hospital in Chicago, and a member of the cybersecurity team sees an alert that her credentials were used to access an electronic medical records system in Atlanta. The cybersecurity professional would be wise to contact Dr. Smith to see if she was traveling and logged in to fill out paperwork while on the go. If not, they might need to disable her account to determine if a breach has actually occurred.
No matter how sophisticated your security controls are, there is still room for human error, which is why vigilance is essential across the security team.
- Why is it not used much?
Despite the benefits of proactive cybersecurity measures, healthcare organizations only use these methods occasionally.
budget: Limited budgets make it difficult to implement new technology solutions that don’t directly contribute to an organization’s bottom line, such as cybersecurity. Given the resources required for a comprehensive offensive cybersecurity program, it’s no surprise that these cybersecurity solutions lack the attention and funding they so desperately need.
knowledge: A lack of knowledge about the depth and breadth of cybersecurity tactics also hampers its adoption. While awareness of cybersecurity in general has grown considerably among non-technical professionals in recent years, many still need to learn the details of the emerging field of offensive cybersecurity. Internal cybersecurity teams that want to start or expand their offensive efforts need to educate their organization and leadership teams on its value to gain buy-in and additional support.
reliability: As cyber attacks in the healthcare industry increase and public awareness grows, so too does the number of solutions offered by cybersecurity companies. Vendors are taking advantage of the industry's vulnerabilities. With so many options to choose from, organizations need to vet solutions more closely to determine which ones actually deliver value.
- What are the benefits?
While cybersecurity tends to be reactive, offensive cybersecurity and barrier practices have a variety of benefits.
- Filling the gaps in traditional cybersecurity programs: To prove the effectiveness of antivirus software, an attack must occur (such as the download of a malicious file or malware). In these cases, organizations can only determine how the attack occurred after the damage has been done. By diversifying tactics to include offensive cybersecurity, organizations can remediate security issues and prevent these incidents.
- Help your team improve response times: Even in organizations with active threat/security monitoring programs, teams can improve their response times when real incidents occur. When offensive cybersecurity teams simulate attacks, organizations can measure how quickly and effectively other security personnel detect, respond to, and improve on attacks. The concept of “practice makes perfect” supports this. The ability to act quickly is critical to ensure teams are prepared. whendo not have ifan incident occurs.
- Bringing a hacker perspective to corporate training: Companies should consider including offensive cybersecurity experts in their corporate training. Traditional training programs often focus only on what employees can and can't do, failing to deepen their understanding or capture their interest and attention on cybersecurity. Offensive cybersecurity experts understand the hacker's perspective and can help employees understand cybersecurity. why Specific practices are required, how The vigilance of each contributor plays a vital role in the security of the entire organization.
For example, instead of providing rules such as “don't click on links or download attachments in emails” without context, offensive cybersecurity experts can explain how hackers use these methods to attack users and their systems. Thus, users can not only try to follow an ever-increasing number of rules, but also improve their defense against phishing attacks by checking their emails daily.
Every minute of downtime can compromise the health and safety of patients and cause financial losses to healthcare organizations. As the cyber threat landscape continues to evolve and become more complex, organizations need to think about cybersecurity from every angle. With strong defenses and attacks, hospitals and clinics can better protect their networks, their organizations, and the patients they serve every day.
About Brian Montgomery
Brian Montgomery is an expert security engineer on Altera Digital Health's in-house penetration testing team. A former hacker with the US Army and the National Security Agency, Brian holds a Master's degree in Cyber Security Studies and several technical certifications, including CISSP, GPEN, CEH, and Pentest+. Montgomery is passionate about spreading awareness of cyber security and related issues by focusing on the cyber security industry from a hacker's perspective. With this mindset, he is part of Altera's in-house penetration testing team, improving Altera's security posture and maturing its offensive cyber security capabilities.
