Feature | Cybersecurity | May 06, 2019| Maxim Chernyak

How to Protect Health Data With Security Testing Automation

According to the National Association of County and City Health Officials, only 33 percent of the organizations plan against cybersecurity threats and initiate patient identity protection protocols.

According to the National Association of County and City Health Officials, only 33 percent of the organizations plan against cybersecurity threats and initiate patient identity protection protocols. 

As the National Association of County and City Health Officials state, healthcare breaches remained to be costly and disastrous for the organizations in 2018. Each patient record exposure can cost up to $400, and hackers always try to access the medical information of hundreds of thousands of patients at once. Meanwhile, the National Association also notes that only 33 percent of the organizations plan against cybersecurity threats and initiate patient identity protection protocols. 

 

Cybersecuity Threats Rolling Over Into 2019

Certainly, 2019 will only add fuel to the fire. Some of the most expected healthcare cybersecurity threats for this year are associated with increased personalization and selectivity, as well as social engineering. In particular, the trends lean toward malicious actors exploiting increasingly blurred boundaries between professional and personal activities. When people use their work accounts for accessing personal resources or follow the bring-your-own-device (BYOD) policy without precautions, it may lead to accidental data exposure or offer hackers a gateway into the individual’s workplace network.

Additionally, phishing is expected to become an even more advanced hacking approach, with scammers tuning up their emails and messages with the person’s information available from ad preferences and social media presence. We also should not forget about the ever-rising tide of identity thefts, when hackers access social security numbers and credit card data of their victims. 

This increased focus on personalization in healthcare cybersecurity threats puts the majority of healthcare organizations in even higher danger. Apart from the direct and blunt software attacks, hackers will target the human factor as well, trying to violate data from the inside. If the providers are unable to defend themselves even at a basic level, they will not be able to allocate resources for further planning and mitigation of emerging threats. 

So, the first step towards avoiding patient data breaches and cutting on settlement fines should be eliminating the known threats and system vulnerabilities regularly with the help of security testing automation. Testing automation brings in a major advantage for ensuring a provider’s infrastructure security. It tackles the basics, defining the most probable bottlenecks in different components of a single system as well as detecting integration loopholes between disparate applications and platforms.

Testing automation does not offer a silver bullet for the healthcare system security assurance and should go together with other testing techniques for more efficiency. However, it can cross out the known vulnerabilities to spare security testers’ time on exploratory testing and mitigating up-and-coming threats. 

Below is an example of a roadmap for successful security testing automation. It shows possible applications, limitations, and processes beyond automated security tests.

 

Starting From a Thorough Health IT Asset Survey

Healthcare organizations’ internal IT infrastructures are systems with many elements, and each should be identified prior to testing automation. This inventory includes not only PCs, storage, servers, and installed software, but also corporate (or personal in case of BYOD) mobile devices, and medical devices too. 
Mapping and understanding these physical assets, their location, purpose, and applications they run, security specialists can evaluate the risks and prioritize their testing activities. 
Each asset’s risk can fall into one of the categories: 
   • Components (OS, firmware, patches, external applications) 
   • System-wide changes
   • New software configuration errors 

Risk categorization allows organizations both to find and focus on the most pressing vulnerabilities. It also helps to navigate across more common problems in healthcare software security, such as unpatched OS, poor authentication, inadequate security protocols, weak passwords and more.
Although quite trivial, these vulnerabilities might be the first target for hackers. Knowing that healthcare organizations can lack strong security policies in place, cybercriminals can resort to simpler attacks and still succeed in unauthorized data access. On the other hand, security testing specialists can automate continuous scanning and even eliminate such vulnerabilities. 

 

Automating Cyber Security Tests

Based on the defined risks, security testing specialists can then segment the tasks for testing automation into functional, non-functional, application and infrastructure security scanning, as well as application logic testing groups. The testing teams can also define the success criteria to ensure that critical vulnerabilities are addressed in a way that benefits the organization in question.

One of the best practices implies that each application assigned for testing automation can be broken down into functions. This approach offers substantial application test coverage and helps to identify different vulnerabilities more effectively. Furthermore, security testing specialists can range the found vulnerabilities according to their severity and plan for fixes accordingly, either in a single upgrade or through multiple patches.

Launching Mock Cyber Attacks

While the series of automated tests helps to reveal vulnerabilities in certain system components, it still cannot ensure that the whole system will withstand a possible breach. To make sure that malignant activities do not lead to data exposure or theft, security testing specialists should initiate a mock-attack. It often focuses on such security basics as SQL injections, URL redirects, and open ports in the firewall.

Security testing teams should also identify sensitive systems, which can disrupt care delivery in case of an attack. Such systems can be devices related to acute patient care or surgery, for example, anesthesia monitors or dialysis machines. Depending on their sensitivity, such applications or physical assets should be accessed with limitations, or should not be targeted during the mock-attack at all to ensure patient safety.

Mock-attacks should be repeated from time to time to cover emerging vulnerabilities with system updates, new applications and devices. Certainly, they should be automated to save time and effort. This way, security testing specialists will be able to create a case scenario and then just tweak it to cover more variables instead of manually repeating the full processes. 

 

Beyond Security Testing Automation 

Once they are done with infrastructure security testing automation, security testers will get a whole knowledge base of the organization’s vulnerabilities, their range and severity. This information can be used as a foundation for further automation, such as for:

   • Security workflows
   • Continuous security monitoring tools   

   • Threat detection for preventing breaches

   • Threat response

Best practices of care delivery keep changing, so health IT systems support flexible updates and upgrades by default. Yet, each new component in such a system creates both a promise and a potential vulnerability. Therefore, security testing should be considered an ongoing process to be enhanced, tweaked and repeated regularly. 

Certainly, providers should consider using manual testing tools to explore upcoming threats and complement their automated testing results, occasionally shifting their focus between different activities. Only by staying flexible can healthcare organizations protect themselves both from basic and more advanced threats. 

 

Editor’s note: The author, Maxim Chernyak, is a head of test automation and performance testing lab at A1QA, an expert in test automation methodologies and tools for functional and nonfunctional testing. Accountable for the education and adoption of state-of-the-art quality engineering practices by QA teams.

Related Content

A comparison of color-flow Doppler cardiac ultrasound showing blood flow, and blood speckle tracking revealing a more detailed and complex understanding of the low. It shows the formation of a vortex that may play a role in future assessments for the efficiency of flow in the heart and vessels. #ASE21 #ASE2021 #Vectorflowimaging

A comparison of color-flow Doppler cardiac ultrasound showing blood flow, and blood speckle tracking revealing a more detailed and complex understanding of the flow. It shows the formation of a vortex that may play a role in future assessments for the efficiency of flow in the heart and vessels. Image from JASE, read more.

Feature | Cardiac Imaging | August 17, 2021 | By Dave Fornell, Editor
In the past several years, a few ca...
A cardiac MRI of athletes who had COVID-19 is seven times more effective in detecting inflammation of the heart than symptom-based testing, according to a study led by researchers at The Ohio State University Wexner Medical Center and College of Medicine with 12 other Big Ten programs.

Cardiac Magnetic Resonance Imaging in Athletes With Clinical and Subclinical Myocarditis A-D, Athlete A with subclinical possible myocarditis was asymptomatic with normal electrocardiogram (ECG), echocardiogram, and high-sensitivity troponin findings. A, T2 mapping showing elevated T2 in basal-mid inferolateral wall in short axis view. B, late gadolinium enhancement (LGE) in the basal inferolateral wall in short axis view. C, Postcontrast steady state-free precession (SSFP) images showing contrast uptake in the basal-mid inferolateral wall in short axis view. D, LGE in the inferolateral wall in 3-chamber view. E-H, Athlete B with subclinical probable myocarditis was asymptomatic with normal ECG, normal echocardiogram, and elevated high-sensitivity troponin findings. E, T2 mapping showing elevated T2 in the anteroseptal wall in short axis view. F, LGE in the anteroseptal wall in 3-chamber view. G, T2 mapping showing elevated T2 in the anteroseptal wall in 3-chamber view. F, Postcontrast SSFP image showing pericardial effusion in short axis view. I-K, Athlete C with clinical myocarditis and chest pain, dyspnea, abnormal ECG, normal echocardiogram, and normal troponin findings. I, T2 mapping showing elevated T2 in the lateral wall short axis view. J, Postcontrast SSFP images showing contrast uptake in midlateral wall in short axis view. K, LGE in the epicardial midlateral wall in short axis view. L-N, Athlete D with clinical myocarditis, chest pain, abnormal ECG, echocardiogram, and troponin findings. L, T1 mapping showing elevated native T1 in midlateral wall in short axis view. M, T2 mapping showing elevated T2 in the midlateral wall in short axis view. N, LGE in the epicardial midlateral wall in short axis view. IR indicates inferior right view; IRP, inferior, right, posterior view; PLI, posterior, left, inferior view; SL, superior left view; SLA, superior, left, anterior view. Image courtesy of JAMA Cardiol. Published online May 27, 2021. doi:10.1001/jamacardio.2021.2065

News | Cardiac Imaging | June 15, 2021
June 15, 2021 — A...
Rensselaer algorithm can identify risk of cardiovascular disease using lung cancer scan #CT
News | Cardiac Imaging | June 14, 2021
June 14, 2021 — Heart disease and cancer are the ...
Women’s Heart Attack Research Program (HARP) shows combining OCT and cardiac MRI can detect the underlying cause of heart attack in women who did not have blocked arteries

The Women’s Heart Attack Research Program (HARP) study shows combining OCT and cardiac MRI can help detect the underlying cause of heart attacks in women who did not have blocked arteries.

News | Cardiac Imaging | November 17, 2020
November 17, 2020 — Diagnostic imaging techniques were able to find the underlying cause of heart attack in many wome
An example of a CT coronary artery calcium scoring exam showing how each vessel segment is scored to assess a patient's risk for a future heart attack. Example is from Philips Healthcare.

An example of a CT coronary artery calcium scoring exam showing how each vessel segment is scored to assess a patient's risk for a future heart attack. Example is from Philips Healthcare.

News | Cardiac Imaging | September 25, 2020
September 25, 2020 — A study out of University Hospitals (UH) found that removing the cost barrier for coronary arter
Rafael Rivero, M.D., Global Head of Medical Affairs at MSI, said: "The importance of MyoStrain cannot be understated because of the test's immense clinical value and ability to quantify intramyocardial dysfunction across 48 segments of the heart. In a six-heartbeat MRI scan, MyoStrain arms physicians with novel clinical information about a patient's heart health."
News | Cardiac Imaging | August 11, 2020
August 11, 2020 — Myocardial Solutions, Inc. and United Imaging, Inc.
The Mindways Solid phantom with volume of interest in the quality assurance phantom (red circles, left side). A participant's noncontrast-enhanced axial CT (right side) with volume of interest (yellow circles) in the trabecular bone compartment of three vertebrae for bone mineral density measurements. Image courtesy of Radiological Society of North America

The Mindways Solid phantom with volume of interest in the quality assurance phantom (red circles, left side). A participant's noncontrast-enhanced axial CT (right side) with volume of interest (yellow circles) in the trabecular bone compartment of three vertebrae for bone mineral density measurements. Image courtesy of Radiological Society of North America

News | Cardiac Imaging | July 15, 2020
July 15, 2020 — ...