The systems and data of healthcare organisations in Australia are prime targets for malicious actors, with the Australian Signals Directorate noting recently that healthcare and social assistance was the highest non-government reporting sector for cyber incidents in 2023-24.
“Healthcare organisations face three primary cybersecurity challenges: ransomware attacks that disrupt services and compromise patient data; data breaches that may involve sensitive patient information; and the complexity of balancing patient confidentiality and operational transparency,” said Chu Canh Chieu, Global Head of Healthcare Vertical Industry, FPT Software.
“FPT Software has a proven record in Australia and internationally of helping organisations in this industry address these concerns.”
A security assessment to remediate vulnerabilities
A key example is a security assessment undertaken for a telehealth service provider with an AWS-deployed system that comprised:
A web portal for doctors and administrators to manage patient information, schedule consultations, and monitor health conditions.
An iOS and Android mobile application for patients to input health data such as weight, heart rate, and blood pressure.
The project involved a security assessment that enabled the service provider to identify and remediate vulnerabilities that could compromise patient data and disrupt operational workflows. To undertake the project, FPT Software simulated an attack on the system to uncover exploitable vulnerabilities. After identifying the issues, the vendor provided remediation guidance to the provider and re-tested the system to ensure all vulnerabilities had been mitigated without introducing new security risks.
During the assessment, FPT Software discovered multiple vulnerabilities, the most critical of which was an access control flaw in the provider’s account registration system. This issue enabled unauthorised individuals to create admin or doctor accounts without proper authorisation and attackers gaining unrestricted access to patients’ health data within the system using self-created accounts.
Having identified the vulnerability, FPT Software implemented a range of remediation measures, including:
- Reevaluating access control design and developing a middleware solution to enforce
centralised access control for all admin-level API requests, and
- Conducting a comprehensive review of the access control implementation to ensure
alignment with business requirements.
As a result, FPT Software and the provider were able to remediate the identified vulnerabilities within the required timeframe to ensure product security.
Assessing security compliance
FPT Software has also undertaken a security assessment of a client’s healthcare products to determine whether they met additional US Food and Drug Administration cybersecurity requirements.
The obligations, which arose at the end of 2023, demanded the client submit security testing documents and other materials in premarket submissions for five products.
The FPT Software security assessment entailed:
- Tailoring a penetration testing scenario to meet FDA requirements.
- Developing a testing checklist based on the OWASP Desktop App Security Top 10 and the OWASP Application Security Verification Standard
- Undertaking penetration testing on products as requested by the customer
- Providing recommendations to address security findings
- Validation of post-fix findings
The engagement entailed identifying and mitigating:
- Seven critical severity Issues
- 12 high severity Issues and
- 66 medium severity issues
The consulting firm is also designing security solutions to address intellectual property challenges such as license cracking and sensitive information leakage through source code, access control issues such as lack of authentication, lack of access control and insecure access control design, and communication problems such as the use of insecure connection methods and the opening of unnecessary services.
Key cybersecurity challenges that healthcare organisations experience today
These two examples showcase the fact that many healthcare organisations struggle with cybersecurity due to deep-rooted vulnerabilities in their systems and operational processes. Many organisations rely on periodic security audits rather than real-time threat detection, leaving them exposed to escalating, undetected cyber threats.
Also, without automated detection and mitigation tools, responses to cyber incidents may be delayed, increasing the risk of data breaches and system downtime. Healthcare organisations also frequently lack the intrusion detection and prevention systems needed to detect and stop attacks before they do damage and rely on outdated encryption methods and unsecured data transfers that put sensitive patient information at risk.
In addition, third-party service providers and vendors with weak security controls can become entry points for cyber threats, while weak or outdated access control policies and lack of multi-factor authentication increases the risk of unauthorised access. Finally, adhering to complex regulatory requirements can be challenging and may, for some healthcare organisations, lead to security gaps that escalate legal and reputational risk.
Empowering proactive cybersecurity with scalable, cost-effective solutions
Penetrating testing can play a critical role in uncovering vulnerabilities before they can be exploited, and FPT Software offerings include scalable, agile and cost-effective penetration testing as a service, red-teaming exercises that simulate attack scenarios to test organisation’s responses, security control reviews to identify gaps and recommend compliance and risk management measures, and integrating security best practices into software development and deployment to reduce the incidence of vulnerabilities.
The business also offers a strategic assessment to help organisations align cybersecurity programs with business goals, and a range of cutting-edge solutions to address evolving cybersecurity challenges, including SOC as a Service and Managed Extended Detection & Response.
With FPT Software, organisations can take advantage of actionable intelligence, active defence, cost-effective security, 24/7 expert monitoring and strategic risk management to effectively address today’s fast-changing threat landscape.