A regional hospital and healthcare provider with multiple small, medium and large facilities, wanted to determine where their facilities, services and information were susceptible to a motivated attacker. The organization had an active information security program, but their leadership wanted a third-party evaluation to be performed. Experis was requested to use a variety of realistic attack methods to assess the adequacy of the security measures without disrupting business or patient services.
We used a tailored version of our proven vulnerability assessment and penetration test methodology to initially probe the defenses of the organization in a covert manner, and then followed those tests with additional methods designed to validate the vulnerabilities discovered and determine the potential risks and impacts if the issues were exploited by attackers. A Rules of Engagement document was developed in cooperation with the client to explicitly define the parameters and scope of each test and the test windows when execution would occur.
A highly-skilled security professional developed specific attack scenarios and depth of testing to be conducted for each test and review the plan with the client. Our team executed initial tests (covertly) then followed up with additional focused tests and exploit verification of the discovered weaknesses.
In addition to the electronic testing, a phishing test and facilitated walkthroughs of several facilities were conducted to assess the level of employee awareness and review the physical safeguards for additional attack surfaces that could be exploited.
Our team exposed several significant weaknesses in the physical, electronic and behavioral measures used to secure the facilities, internal and external networks, and critical information systems. We provided a detailed report and a set of pragmatic recommended actions the client used to address the root causes of each issue. Our recommendations enabled the client to quickly and significantly reduce their levels of business risk and exposure from cyberattacks