Private Hospital requires Governance on a Budget
Industry: Canadian Healthcare
Location: Toronto, Ontario, Canada
Size: 200 employees
Reason: Not large enough to require a full time CISO but still needs governance
Effort: Full time for about 3 weeks, conducting Pen Test, Vulnerability, and PIA.
Ongoing 3 days (roughly 24 hours) / month
This private hospital has been a cornerstone of Canadian specialized healthcare for half a century. They have always been on the leading edge of medical technology, but have shied away from having a significant Internet presence, both due to the understood risks, as well as the fact that their legacy in the healthcare field meant they have never really had to advertise or look for clients.
The founder has recently decided that it would be prudent to provide a means for staff and patients to be able to communicate with one another and share documentation. I'll admit that I wish they had contacted us or one of our peer Cyber Security companies *before* developing their portal, but at least they had the foresight to contact us prior to it's public launch.
After an afternoon Cyber Security discussion with the hospital founder and his executive and IT staff, we offered a combination of a Blackbox Penetration test, an internal Vulnerability assessment, and a Privacy Impact assessment to identify the various risks and any potential gaps in the associated security controls.
All in, the assessments took about two weeks to complete. A few deficiencies *were* found in the portal's Internet presence - which is to be expected. We quickly provided remediation guidance, even before we finished the assessment, and the portal developers were able to close the issue immediately. A follow up spot check validated the remediation.
We *did* end up delaying the hospitals published launch date for the portal by a couple weeks, however they were grateful for closing the hole in their app that would have been easily identified by a hacker through automated reconnaisance.
The First 30 days:
Our Cyber Security Advisor brought in a pair of our seasoned Ethical Hackers to work directly with the hospitals IT staff and their 3rd party portal development team to set the parameters for the Blackbox Penetration Test, set a schedule, alert their ISP, and provide guidance for monitoring.
In parallel, we conducted a series of interviews and document reviews to understand and identify any deficiencies in their internal Cyber Security and Privacy Controls measured against both Canada's PIPEDA as well as PHIPA requirements.
As a part of validating the internal Cyber Security Controls, we conducted a full Network Vulnerability Scan to identify any outstanding software or firmware patches or sytems that have become "end-of-life". This also provided us a good validation of the hospital's network connected computing assets.
After a few portal modifications, and some patching and updates internally, we were able to provide the hospital with a clean bill of health. The hospital received both executive reports writen in the language of business risk, as well as the associated technical reports identifying each deficiency by criticality, with remediation advice and priorities on a roadmap.
The Next 60 days:
The hospital signed a contract to retain our services over the next couple months to assist in the remediation and subsequent validation testing to ensure that all deficient Cyber Security Controls were corrected.
Beyond the 90 days:
Once we provided signoff, that the identified deficiencies had been corrected, we proposed, and had accepted, a T&M retainer based service agreement to provide regular Cyber Security Advice and guidance to the hospitals IT and executive staff.
We have set up a cadence of short bi-weekly conference calls, and our security analysts are providing staff augmentation to the hospitals IT team.
We are now in a position to provide periodic Governance, conduct quarterly reviews/trend analysis, and provide external threat intelligence. Our analysts will continue to monitor the network for anomalies and ensure that the various security processes are in place and functional.
Benefit to Client:
Previous Case Studies in this Series:
Case Study #1 - Cellular Communications Provider in Merger & Acquisition
Case Study #2 - Fintech Service Provider requires Interim CISO
Case Study #3 - Software Startup requires Governance on a Budget
Case Study #4 - Wealth Management Company with Poor MSSP Contract
Case Study #5 -Small Family Law Firm concerned about Privacy Breaches
Case Study #6 - Logistics - Transportation company denied Cyber Insurance