The Importance of Penetration Testing for Medical Software and Medical Device Vendors

As a healthcare vendor, it is important to know if or how your software or products pose a vulnerability to your clients, their patients, and your reputation. The integration of medical software and devices with the IoT, also known as the internet of medical things (or IoMT), has made it easier and safer for healthcare professionals to care for patients. However, the proliferation of the IoMT provides a growing attack surface for malicious users, as each device or piece of software is a potential entryway into the system. 

The Dangers of IoMT Vulnerabilities

Medical data has always been a high-value target for malicious users. After all, medical providers store personal information, including payment information, which can be used or sold on the black market for a high price. But now the stakes are even higher – hackers could take control of devices. In 2017, the FDA issued an alert for 745,000 pacemakers because of a vulnerability that would allow hackers to either change the pace of the pacemaker or run down the battery so that it would stop working.

These types of security failures can have massive repercussions in terms of both regulatory fines and reputational damage, for both healthcare facilities and vendors. In terms of fines, the healthcare industry has the highest per record cost at $150 per breached record, and the highest average cost at $7.13 million per breach. But we don’t need to throw out the baby with the bathwater. The problem isn’t the devices or software themselves, but the vulnerabilities that they possess. While there’s no cure all, penetration testing allows you to check for vulnerabilities and patch them before malicious users find and exploit them.


Penetration Testing: A Physical for the IoMT

While various compliance regulations require penetration testing (or pentesting) in the medical industry, it’s also considered a best practice in the medical industry to make sure your software and devices are as secure as possible, as well as your business. Pentesting is like a physical: it tests your system to make sure there are no unhealthy gaps that can lead to viruses or other health concerns.

Why Pentesting?

Pentesting involves a simulated cyber attack on your system. It can be conducted through passive and active measures. Passive measures involve gathering information about potential holes in your system without directly interacting with any assets. Active measures involve attempting to breach assets, which means testing out your firewall, intrusion detection system (IDS), authentication servers, live IP addresses and their permissions, phishing vulnerabilities, endpoints and servers, and anything else connected to a network that could be used as an entry point for cyber attacks. In the case of medical vendors you want to perform regular penetration testing on your network, the web applications that you create, and the devices that you manufacture. 

Pentesting for Medical Vendors

Because medical technology is an investment for facilities like hospitals and clinics it is purchased with the intent to have a long lifespan. This is why it’s particularly important to regularly conduct pentesting on your products. It’s a show of good faith and credibility to your customers that you are actively seeking to discover and remediate vulnerabilities that could affect them, in addition to being part of best practices and regulatory compliance in the healthcare industry. 

At a minimum, organizational pentesting should be done once a year. But more frequent testing provides greater certainty – for you and your customers – that your attack surface is protected. Besides annually, you should also conduct tests after major changes to your network environment, such as infrastructure or when you change the way you accept or store data, and when you implement major software updates to web apps or devices. Even seemingly small changes can affect your larger network, which potentially opens up new vulnerabilities.

Leave It to the Experts: Pentesting with NaviSec

Many companies conduct pentesting internally. While this may save money in the short-term, it can have long-term consequences. The reason is simple: it’s hard to see your own faults. Hiring an impartial third-party to conduct your pentesting has the benefit not only of allowing full-time experts to check for vulnerabilities but having someone explore your vulnerabilities from different angles than your own team might. 

NaviSec offers expert cybersecurity as an investment in your products and brand name. Through Delta, our offensive security arm, we conduct pentesting in conjunction with a full vulnerability assessment and easy-to-digest executive report. Our world-class team of engineers are experienced at finding vulnerabilities and making sure your network and products are as secure as possible. We have a proven track record and have developed proprietary tools, as well as using tools that are widely trusted in the industry. Using these tools and their know-how, our engineers conduct a combination of passive and active measures based on each client’s security needs to discover vulnerabilities before malicious users can. Our mentality is that we’re not working to check a box for compliance purposes but to make you and your customers more secure. 

For more information on pentesting with NaviSec or for a demo, contact us.

Urgent Contact