What Health Systems Need to Consider When Starting a Bug Bounty Program

Healthcare is one of the most targeted industries for cyberattacks, as personal health information (PHI) is among the most profitable commodities on the dark web. Yet, as healthcare organizations and patients increasingly adopt new digital health technologies, they open up new attack vectors for bad actors to exploit.

According to a recent study, vulnerabilities in health IT infrastructure increased 341% from 2017 to 2018. And they are expected to continue to rise in the future. To help keep health data secure, information security teams at health systems should investigate how adding crowdsourced security to their cybersecurity program, such as a bug bounty program, could support their strategy.

A bug bounty program takes a continuous testing approach. Unlike traditional penetration testing, which has a set amount of time to do an exercise, security researchers participating in a bug bounty program can spend as much time as they need to find bugs. Bug bounty programs better simulate the time and effort that attackers put forth, as they don’t have these same time constraints. While not a replacement to a traditional pen test, bounties can help augment testing strategies.

However, to run a successful program, health systems need to consider a number of factors:

Test Devices and Systems in Isolated Environments

Although industry regulations, such as HIPAA, can make adopting bug bounty programs challenging, security teams can overcome this by isolating the testing environment from any part of the network that uses real data. This reduces the risk of exposing PHI to researchers while letting them test in a meaningful way.

Creating an isolated testing environment also avoids breaking a system or device unexpectedly, or accessing a device or system that stores real PHI. For example, a researcher should not be trying to compromise operating room machinery during a procedure. Devices must be tested in a sanitized, safe environment — even on a separate network from real devices — using test data that will not affect a patient or clinician.

Be Ready for More Volume

Once the bug bounty program launches, organizations should expect to receive a large volume of vulnerability submissions that will consume time and energy to review. The submission instructions should give the researchers as much information, data and direction as possible, so it’s not a complete black box to them when they’re testing.

But they may not follow the instructions. They will want to test anything and everything.

Some reports won’t be well articulated or in the requested format, so it will be difficult to understand what the researcher has done. There will be a lot of false positives and garbage submissions, yet it will be important to review all of them to not miss a critical vulnerability.

To help with this, health systems should check if the company hosting their bug bounty program offers the service to triage and review all the submissions. It is worth the investment, but the security team will still need to validate the submissions that make the cut. It’s also recommended to start with a private program to understand and become familiar with the processes, and not be inundated with submissions before moving to a public program.

Structure Rewards, So It Is Worth a Researcher’s Time

Low monetary rewards will not incentivize researchers to spend the amount of time and energy it requires to test complicated healthcare-related systems. Rewards up to only $1,000 will get the types of low-level vulnerabilities that usually affect web applications.

To find critical vulnerabilities that could significantly impact customers, it is important to offer rewards for critical-level vulnerabilities between the $15,000 to $20,000 range. This will attract the researchers who will spend the time, which could be weeks or even months of testing, to understand how a technology platform works to find a high-level vulnerability.

That said, health systems shouldn’t aim this high from day one. They should start with low rewards and plan to scale their program over time as they become comfortable with the volume and nature of the submissions.

Reports show crowdsourced security, like bug bounty programs, can help uncover 10-times more vulnerabilities than traditional assessment methods. In an industry that is targeted heavily by attackers, and where protecting sensitive data becomes the highest priority, health systems must adopt crowdsourced security as another layer in their cybersecurity strategy.

About the Author: Ben Waugh is the chief security officer at Redox, which accelerates the development and distribution of healthcare software solutions with a full-service integration platform to securely and efficiently exchange healthcare data.

Get the best insights in digital health directly to your inbox.

Related

Ransomware Attack Forces 3 Hospitals to Turn Away Patients

URMC Pays $3M to OCR for Mobile Device HIPAA Violation

Phishing Attack Jeopardizes the Medical History of 130K