Why It’s Time to Go on the Offensive with Healthcare Cybersecurity

Being an avid soccer fan, player, and coach, I’ve heard countless times that “the best defense is a good offense.” As a cybersecurity professional, the concept of taking active steps to improve your team’s position resonates. However, cybersecurity programs within and outside the healthcare industry typically focus on reactive approaches. 

The stakes are too high in healthcare to wait for a hacker to strike your organization, and meanwhile, the scale and scope of cyberattacks continue to grow. In 2023, more than 700 healthcare data breaches affected 133 million people in the U.S. 

The underutilized concept of offensive cybersecurity offers practical solutions when healthcare organizations understand and adopt this approach.

1. What does offensive cybersecurity entail?

Organizations that look for vulnerabilities in their systems before cyber threats can exploit them use offensive cybersecurity, a specialization within the cybersecurity umbrella. These different probing and testing methods mimic how real malicious actors would compromise an organization.

Vulnerability assessments, one type of offensive cybersecurity test, help organizations identify points of weakness attackers could exploit. To conduct these tests, organizations use scanning software and services to evaluate how their assets stack up against any known security vulnerabilities. Considered another layer on top of vulnerability assessments, penetration testing (also known as “pen testing”) determines the extent of exploitable detected vulnerabilities, such as weak encryption or missing patches, and can show the impact of these weaknesses if exploited by attackers.

“Red teaming” is another type of offensive cybersecurity and ranks as the most involved of these methods. “Red teams” are internal offensive cybersecurity groups that simulate adversaries as closely as possible to reality by trying to avoid detection and attacking the organization’s networks and systems. This tests not only the security posture of the networks themselves but also the vigilance of other security personnel within the organization. 

What does this vigilance look like in a healthcare setting? 

Let’s say that Dr. Smith works in a Chicago-based hospital, and a cybersecurity team member sees an alert that her credentials were used to access the electronic health record system in Atlanta. It would be prudent for the cybersecurity professional to contact Dr. Smith to confirm if she’s traveling and logged in to complete documentation on the road. If not, the account may need to be disabled to determine if a breach has indeed occurred. 

No matter how advanced your security controls may be, there is still room for human error—and, in turn, a need for vigilance among the entire security team.

2. Why is it underused?

Despite the benefits of proactive cybersecurity measures, healthcare organizations only sometimes use these techniques. 

Budget: Constrained budgets challenge the introduction of new technological solutions, cybersecurity or otherwise, that do not directly contribute to an organization’s bottom line. Given the resources needed for comprehensive offensive cybersecurity programs, it’s not surprising these cybersecurity solutions lack the attention and funds they genuinely warrant. 

Knowledge: A lack of knowledge about the depth and breadth of cybersecurity tactics is another hurdle to their implementation. While general cybersecurity awareness has grown considerably among nontechnical professionals in recent years, many need to learn the ins and outs of the emerging field of offensive cybersecurity. Internal cybersecurity teams that want to begin or expand their offensive efforts should educate their organizations and leadership teams on their value to get buy-in and additional support.

Credibility: As cyberattacks and general awareness have grown in the healthcare industry, so too has the number of solutions from cybersecurity companies. Vendors capitalize on the industry’s vulnerability, and with so many options, organizations must scrutinize solutions even more closely to determine what will bring actual value.

3. What are the benefits?

While cybersecurity tends to be reactive, offensive cybersecurity and barrier practices have multiple advantages. 

• Fill gaps in traditional cybersecurity programs: An attack (e.g., downloading a malicious file or piece of malware) must occur to prove the effectiveness of anti-virus software. In these instances, organizations can only determine how the attack happened after the damage is already done. By diversifying tactics to include offensive cybersecurity, organizations can fix security issues and help prevent those incidents. 

• Help teams improve response times: Teams can improve their response times should an actual incident occur, even for organizations with active threat/security monitoring programs. When the offensive cybersecurity team simulates an attack, the organization can measure how fast and effectively other security personnel detect and respond to it and improve. The concept of “practice makes perfect” drives this home. The ability to act quickly is critical so teams are ready when, not if, an incident occurs.

• Involve a hacker’s perspective in corporate training: Organizations should consider involving offensive cybersecurity professionals in their corporate training. Traditional training programs often only focus on what employees can and cannot do, which doesn’t improve their understanding of cybersecurity or hold their interest and attention. Because offensive cybersecurity personnel understand hackers’ perspectives, they can help employees understand why certain practices are required and how the vigilance of each contributor plays a role in the security of the entire organization. 

For example, instead of providing rules like “don’t click on links or download attachments from emails” without context, offensive cybersecurity professionals can explain how hackers use these avenues to attack users and their systems. Thus, rather than just trying to follow an ever-growing set of rules, users are empowered to better defend against phishing attacks when they review emails daily.

Every minute of downtime can compromise patient health and safety and incur financial costs to healthcare organizations. As the cyber threat landscape continues to evolve and become more complex, organizations must think about cybersecurity from all angles. Hospitals and practices can better protect their networks, the organization, and the patients they serve daily with a strong defense and offense. 

About Brian Montgomery

Brian Montgomery is an Expert Security Engineer on Altera Digital Health’s internal penetration testing team. An ex-hacker for the U.S. Army and the National Security Agency, Brian obtained his master’s degree in cybersecurity studies and has obtained several technical certifications, including CISSP, GPEN, CEH, and Pentest+. Montgomery has a passion for helping spread awareness of cybersecurity and its related issues by focusing on the cybersecurity industry from the mindset of a hacker. With this mindset, he works on Altera’s internal penetration testing team improving Altera’s security posture and maturing its offensive cybersecurity capabilities.