Case Study Security Consulting for Healthcare
Summary
Challenge
Wanting to understand the cyber risk exposure of a publicly facing customer portal, a Premier member health system reached out to Advyz for assistance.
Solution
Conduct a PEN Test to scan and identify vulnerabilities across the portal. Guidance on a Web Application Firewall (WAF) product solution to address near term needs.
The Business Challenge
Our client, a $1.5B health system, operates a health information exchange that allows patients to share their records with community providers to facilitate continuity of care. Wanting to understand the level of risk that a publicly facing portal like this presents to their organization, our client sought the guidance of our cybersecurity experts.
The Solution
A publicly facing patient portal presents an opportunity for criminals to infiltrate the client’s systems and access patient data. In order to assess this risk and identify appropriate mitigation strategies, our team proposed conducting a Penetration Test (PEN test) to scan and identify vulnerabilities across the portal.
Based on the quality of our PEN test work and the level of cyber expertise demonstrated by our team, the member asked for guidance on what they should do in the immediate term. A Web Application Firewall (WAF) was identified as the product solution that would yield the greatest protection / investment ratio.
Penetration Testing
Approach
Our PEN test consists of red team activities to assess security controls, identify gaps and opportunities for attackers to exploit sensitive data (both proprietary and patient data).
A vulnerability and discovery scan of the client’s patient portal revealed vulnerabilities across the environment. We then conducted extensive manual testing leveraging our bank of test cases developed over the past 20 years.
Result
We delivered a comprehensive report that documented detailed findings, as well as recommendations for remediation organized by criticality and type (e.g., patching).
Security Product Selection
Approach
e360 is vendor agnostic, taking a trusted advisor approach to client security product selections. To help the Premier member select a WAF technology, we prepared a report comprising industry use cases, top 10 WAF products, and our product recommendation based on their specific issue and environment.
Result
Upon review of the WAF report, the member asked us to lead product acquisition with the vendor. Our knowledgeable security practitioners developed proof-of-concepts (POC) and use cases for both products. We worked with manufacturers to find a solution that addressed the use cases, and that was a business and technical fit for the member; then presented the solutions to the member for final product selection.
The Impact
Valuing our holistic approach to cybersecurity – marrying people, process, and the right technology to suit organizational risk and culture – the member asked e360 to help with several strategic cyber programs, including a HIPAA assessment, as well as maturity assessments, recommendations, and implementation enhancements to their enterprise-wide Security Operations Center (SOC) and Governance, Risk, and Compliance (GRC) programs.
e360’s consultative approach, coupled with our deep technical and industry expertise, enabled us to respond to the member’s immediate security concerns, and partner with them as a trusted advisor for long term security planning.