Chad Peterson
- Standard 45 CFR 164.308(a)(1)(i): Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
- Implementation specifications 45 CFR 164.308(a)(1)(ii)(A): Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
- Standard 45 CFR 164.308(a)(8): Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
Within this section, you will also find standards and implementation specifications around workforce security, information access management, security awareness training, and contingency planning. All of which can be evaluated and validated through a variety of offensive security engagements, such as pentesting, red teams, breach and attack simulation, or social engineering engagements.
HIPAA does a great job highlighting the requirements clearly, without providing actionable steps to achieve compliance. To help, we put together a checklist to ensure your security testing program meets the needs of Security Rule.
HIPAA Pentesting Checklist
Continuous Penetration Testing
HIPAA requires “periodic” evaluations, particularly in response to environmental or operational changes. The rate of change in healthcare environments has increased exponentially over the years. Continuous pentesting can take form of more frequent tests enabled by a penetration testing as a service (PTaaS) delivery model, or through an attack surface management platform. As a rule of thumb, key moments of change could include version upgrades of software that houses ePHI or architecture changes. At the very least, perform penetration tests on a quarterly basis.
Risk Prioritization, With an Emphasis on Application Security
Are you targeting the applications that pose the greatest risk to your sensitive health information? A pentest that meets HIPAA standards should not stop at vulnerability discovery. Whether you are pentesting internally or working with a third-party partner, work together to identify which application pentests should be prioritized – and, more importantly, align on vulnerability severity definitions and remediation timelines based on your organization’s risk profile.
Validation of Security Controls
It is important to note that pentests can and should also be used to validate your security controls. Are your pentests alerting you to flaws and policy gaps within your identity and access management, threat detection, and other security controls implemented? Additionally, consider breach and attack simulation (BAS) platforms to help evaluate and improve the effectiveness of your detective controls. Learn about the top use case for BAS technology in this Gartner report.
Comprehensive Reporting and Historical Data
Standard 45 CFR 164.316(a) in the HIPAA Security Rule highlights the policies and procedures and documentation requirements. According to the standard, healthcare organizations must maintain a written record of each action, activity, or assessment. They also must retain documentation for six years from the date of its creation. Bonus points to pentesting partners who track and trend historical pentesting reports in a single platform.
The Relationship Between Pentesting and Privacy
HIPAA and other privacy regulations (GDPR, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients. To accomplish this, these regulations all require that an organization's IT Infrastructure must be secure.
As privacy regulations and standards have evolved, I’ve found that if you are compliant with PCI DSS and are HITRUST certified, it is likely you will be HIPAA compliant as well. Both are significantly more prescriptive and actionable than the HIPAA rules and can help you proactively secure ePHI.
Securing an IT infrastructure involves many steps that we will not get into here, but instead will concentrate on how to ensure that an environment remains in a constant state of security. Regular and sometimes continuous penetration testing is the most effective way to provide continued assurance.
Penetration Testing is used to identify how a hacker can gain access to an environment and provide an organization with a roadmap of how to address those vulnerabilities and findings. Pentesting does not inherently make you secure; it makes you aware of your security flaws.
By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.
A Proactive Approach to HIPAA Compliance
Healthcare security and IT teams should approach HIPAA with a foundational mindset. The requirements outline what you should already be doing and thinking about on an ongoing basis.
Mature healthcare organizations have comprehensive vulnerability management and pentesting programs in place. Pentesting is a powerful first step towards compliance – when done right.
Be proactive, not reactive. Be a leader, not a pawn.
NetSPI’s penetration testing solutions can help you chart a clear path to HIPAA compliance. Contact us today.
[post_title] => Pentesting: The Forgotten HIPAA Requirement [post_excerpt] => xplore penetration testing’s critical role in HIPAA compliance and get our checklist for healthcare penetration testing. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forgotten-hipaa-requirement [to_ping] => [pinged] => [post_modified] => 2023-05-18 12:54:50 [post_modified_gmt] => 2023-05-18 17:54:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29464 [menu_order] => 100 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 29376 [post_author] => 108 [post_date] => 2023-01-31 09:00:00 [post_date_gmt] => 2023-01-31 15:00:00 [post_content] =>On January 31, NetSPI Managing Director Chad Peterson was featured in the SecurityWeek article called Cyber Insights 2023 | Attack Surface Management. Read the preview below or view it online.
+++
SecurityWeek Cyber Insights 2023 | Attack Surface Management – Attack surface management (ASM) is an approach for delivering cybersecurity. IBM describes the attack surface as “the sum of vulnerabilities, pathways or methods – sometimes called attack vectors – that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.”
ASM requires “the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.”
ASM is consequently predicated on total visibility of assets, vulnerabilities, and exploits.
Management is the key word in ASM
The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.
Chad Peterson, MD at NetSPI, believes the nature and effectiveness of pentesting will evolve over 2023, “The attack surface has become more fluid, so you have to be able to scan for new assets and entry points continuously,” he says. “In 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of more continuous assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.”
Read the full article at SecurityWeek!
[post_title] => SecurityWeek: Cyber Insights 2023 | Attack Surface Management [post_excerpt] => NetSPI Managing Director Chad Peterson was featured in the SecurityWeek article called Cyber Insights 2023 | Attack Surface Management. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => securityweek-cyber-insights-2023-attack-surface-management [to_ping] => [pinged] => [post_modified] => 2023-02-16 17:26:05 [post_modified_gmt] => 2023-02-16 23:26:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29376 [menu_order] => 111 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 29248 [post_author] => 108 [post_date] => 2023-01-26 10:02:21 [post_date_gmt] => 2023-01-26 16:02:21 [post_content] =>On January 26, NetSPI Managing Director Chad Peterson was featured in the VMBlog article called Data Privacy Day 2023: Tips and Views from Top Industry Experts. Read the preview below or view it online.
+++
Data Privacy Day, an international "holiday" that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January of 2008. It is an extension of Data Protection Day in Europe, which commemorates the January 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
Two years ago, the National Cybersecurity Alliance (NCA) expanded Data Privacy Day beyond just January 28th, and instead, many have chosen to celebrate it all week long. And they did so because your data is simply that important!
Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.
With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts ahead of Data Privacy Day 2023.
Chad Peterson, Managing Director, NetSPI
"Several privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients, however the increasingly sophisticated threat landscape means the focus in 2023 and beyond must be on on how to ensure that an environment remains in a state of security. The proliferation of social engineering attacks such as vishing and deepfakes makes employees and consumers particularly vulnerable to hackers, making the need for security education more and more important. By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware."
You can read the full article at VMBlog!
[post_title] => VMBlog: Data Privacy Day 2023: Tips and Views from Top Industry Experts [post_excerpt] => NetSPI Managing Director Chad Peterson and other security experts shared tips and advice to raise awareness and promote privacy and data protection this Data Privacy Day. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-data-privacy-tips-from-top-industry-experts [to_ping] => [pinged] => [post_modified] => 2023-01-31 10:12:46 [post_modified_gmt] => 2023-01-31 16:12:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29248 [menu_order] => 115 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 27166 [post_author] => 65 [post_date] => 2022-01-18 07:00:00 [post_date_gmt] => 2022-01-18 13:00:00 [post_content] =>Today’s business environment extends far beyond traditional brick and mortar organizations. Due to an increased reliance on digital operations, the frequency and complexity of supply chain cyber attacks — also known as vendor risk management or third-party security — are growing exponentially. It’s apparent that business leaders can no longer ignore supply chain security.
Not only did we see an increase in supply chain attacks in 2021, but the entire anatomy of an organization’s attack surface has evolved significantly. With more organizations shifting to a remote or hybrid workforce, we’ve seen a spike in cloud adoption and a heavy reliance on digital collaboration with third-parties.
Over the past few years we’ve introduced many new risks into our software supply chains. So, how do we ensure we don’t become the next SolarWinds or Accellion? In this blog, we reveal four supply chain security best practices to get you started on solid footing.
First, understand where the threats are coming from.
With so many facets of the supply chain connected through digital products, organizations and security leaders need to understand which sectors are most vulnerable and where hackers can find holes — both internally and externally.
A recent study found that 70% of all breaches are caused by an outside force, and 17% were specifically from malware. This is to be expected. As software developers have been outsourced more frequently, the doors have opened to traditional malware attacks and breaches. Businesses need to understand how and where their resources can be accessed, and whether these threats can be exploited. However, malicious code detection is known to be very difficult. Standard code reviews won’t always identify these risks, as they can be inserted into internally-built software and mimic the look and feel of regular code. This is one of the biggest trends leaders must be aware of and fully understand which threats could impact their organization.
In addition to malware, hackers have begun attacking multiple business assets outside of an organization's supply chain through “island hopping.'' We’re seeing 50% of today’s cyber attacks use this technique. Security leaders need to identify and monitor island hopping attacks frequently to stay ahead of the vulnerability. Gone are the days where hackers target an organization itself — instead adversaries are going after an organization's partners to gain access to the initial organization's network.
Supply Chain Security Best Practices
How do organizations ensure they don’t become the weakest link in the supply chain? First and foremost, be proactive! Businesses must look at internal and external factors impacting their security protocol and implement these four best practices.
1. Enforce security awareness training.
Ensure you are training your staff not only when they enter the organization, but also on a continuous basis and as new business emerges. Every staff member, regardless of level or job description, should understand the organization's view and focus on security, including how to respond to phishing attempts and how to protect data in a remote environment. For example, in a retail environment, all internal employees and third-party partners should understand PCI compliance, while healthcare professionals need a working knowledge of HIPPA. The idea is to get everyone on the same page so they understand the importance of sensitive information within an organization and can help mediate a threat when it is presented.
2. Enact policy and standards adherence.
Adherence to policies and standards is how a business keeps progressing. But, relying on a well-written standard that matches policy is not enough. Organizations need to adhere to that policy and standards, otherwise they are meaningless. This is true when working with outside vendors as well. Generally, it’s best to set up a policy that meets an organization where it is and maps back to its business processes – a standard coherence within an organization. Once that’s understood, as a business matures, the policy must mature with it. This will create a higher level of security for your supply chain with less gaps.
In the past, we’ve spent a lot of time focusing on policies and recommendations for brick and mortar types of servers. With the new remote work and outsourcing increasing, it’s important to understand how policies transfer over when working with vendors in the new remote setting.
3. Implement a vendor risk management program.
How we exchange information with people outside of our organization is critical in today’s environment. Cyber attacks through vendor networks are becoming more common, and organizations need to be more selective when choosing their partners.
Once partners are chosen, security teams and business leaders need to ensure all new vendors are assessed with a risk-based vendor management program. The program should address re-testing vendors according to their identified risk level. A well-established, risk-based vendor management program involves vendor training — follow this three-tiered approach to get started:
- Tier one: Organizations need to analyze and tier their vendors based on business risk so they can hone in on different security resources and ensure they’ve done their due diligence where it matters most.
- Tier two: Risk-based assessments. The higher the vendor risk, the more their security program should be accessed to understand where an organization’s supply chain could be vulnerable – organizations need to pay close attention here. Those categorized as lower risk vendors can be assessed through automated scoring, whereas medium risk vendors require a more extensive questionnaire, and high-risk vendors should showcase the level of their security program through penetration testing results.
- Tier three: Arguably most important for long term vendor security. Re-testing vendor assessments should be conducted at the start of a partnership, and as that partnership grows, to make sure they’re adhering to protocol. This helps confirm nothing is slipping through the cracks and that the safety policies and standards in place are constantly being met.
4. Look at the secondary precautions.
Once security awareness training, policy, and standards are in place, and organizations have established a successful vendor risk management program, they can look at secondary proactive measures to keep supply chain security top of mind. Tactics include, but are not limited, to attack surface management, penetration testing services, and red team exercises. These strategic offensive security activities can help identify where the security gaps exist in your software supply chain.
Now that so many organizations are working with outside vendors, third-party security is more important than ever. No company wants to fall vulnerable due to an attack that starts externally. The best way to prepare and decrease vulnerability is to have a robust security plan that the whole company understands. By implementing these four simple best practices early on, businesses can go into the new year with assurance that they won’t be the weakest link in the supply chain — and that they’re safeguarded from external supplier threats.
Let’s start by defining the goal: a risk-based vulnerability management program. A risk-based vulnerability management program focuses on finding and fixing the vulnerabilities based on the damage it could cause if exploited and how likely exploitation is… in other words, the ones that pose the greatest risk to your business.
Even the majority of board members across the globe view cybersecurity as a business risk versus a technology risk, according to a survey from Gartner. It makes sense why most security leaders are working hard to shift to this model as organizations are swamped with vulnerabilities – notably, high-severity, business critical vulnerabilities.
Last year, a record number of critical vulnerabilities were disclosed to the National Institute of Standards and Technology (NIST): 10,342 (source: Security Magazine). A check-the-box, compliance-driven vulnerability management program will no longer cut it. As serious vulnerabilities are on the rise, it’s up to us to determine which are fixed first.
Before you can successfully implement a risk-based program, there are four realities you must face:
- You will have security vulnerabilities that you will never address
- CVSS scores do not represent business risk
- To have an effective risk-based program, we have to lessen the gap between IT and business
- We must adopt a “we’re all in this together” mentality to tackle cybersecurity risk
In this blog post, I’ll dig into each of these realities and the steps you can take to come to terms with and, in many cases, overcome them. First, a quick primer on risk scoring, a key component to risk-based vulnerability management.
An introduction to risk scoring
At NetSPI, one way we’re helping our clients address these challenges, or “realities” as I refer to in this article, is through risk scoring. In simple terms, a risk score quantifies risk for more accurate and efficient vulnerability remediation prioritization.
If you’re a NetSPI customer, you may have noticed the new Risk Overview Dashboard in Resolve™, our PTaaS platform. The dashboard features an aggregate risk score, composite risk scores for applications, networks, and cloud, an industry benchmark, the number of open critical vulnerabilities, the riskiest projects or assets, the top 10 highest risks, and more.
NetSPI’s Risk Score is calculated based on transparent methodology that considers vulnerability risk (impact, likelihood, environmental modifiers, and temporal modifiers), threat actor risk, remediation risk, and industry risk to quantify risk levels on any given asset, project, network, or an entire organization. Read more about NetSPI’s risk score methodology in our whitepaper, How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward.
Risk scores can be used for remediation prioritization, resource allocation, cybersecurity spend validation, risk management tracking, industry benchmarking, and more. I like to think of it as a behind-the-scenes program manager for risk-based vulnerability management programs – continue reading to learn why.
You will have security vulnerabilities that you will never address
It is unrealistic to assume that any organization is vulnerability-free. Once you come to terms with this, risk’s role in vulnerability management becomes a lot clearer.
You can have the same vulnerability across 6 different assets, but is it wise to fix them all at once?
Traditionally, this is how many have approached vulnerability management, but the answer is, in most situations, no. It is important to focus on the system with the most risk versus solving the vulnerability across all systems. This holistic approach to vulnerability management is key as it allows you to incorporate business risk into your decisions.
When you start to factor business risk into the mix, you can identify which assets or systems are most likely to be taken advantage of AND create the most damage if exploited. Then, prioritize remediation, budget, and time accordingly.
Risk scoring can help expedite this decision-making process. The higher your risk score, the higher priority that system, asset, network, finding, project, etc. And some with very low risk may not warrant remediation at all.
CVSS scores do not represent business risk
A Common Vulnerability Scoring System (CVSS) score alone cannot provide a full picture of business risk, but it is a strong starting point for the basis of a risk score. CVSS scores are helpful for vulnerability-specific ratings, but they do not incorporate aggregate factors such as active threat intelligence or correlation to other penetration testing data points.
Additionally, CVSS scores follow a standard formula, regardless of the size, industry, or other business factors, leaving little to no room for customization. This results in organizations not getting the complete picture of a vulnerability’s potential impact.
CVSS scores are often used as a metric for return on security investments. I believe they should not be used as such. As an alternative, if you are utilizing a true risk program, risk scoring can be used as a quantitative metric to represent business risk across your organizations.
To have an effective risk-based program, we have to lessen the gap between IT and business
There’s a knowledge gap between IT and the business and we cannot achieve a risk-based vulnerability management program until that gap shrinks.
In the healthcare industry, risk alignment between IT and the business is critical. The business is patient health and safety and its up to security and IT leaders to help the business understand how it directly impacts and protects patient health and safety, whether that’s through protecting Personal Health Information (PHI) or saving lives through ransomware prevention activities.
This is the same with any business. You have to find common ground between what you’re doing from an IT perspective to show how you’re a part of the business and are critical in the day-to-day operations.
A simple shift in the way we talk about cybersecurity to business leaders could make a massive difference. A risk-forward approach is key. Here are two examples of this:
🚫 What does it cost us to protect the business
🚫 How do we secure our technical systems
✔️ What will it cost us if we don’t
✔️ How do we secure our business processes
We must adopt a “we’re all in this together” mentality to tackle cybersecurity risk
Industry benchmarking is an incredibly powerful tool to communicate your risk-based vulnerability management program successes and progress.
However, we must not fall into the pattern of comparing our programs against others in our industry. There is an analogy that we need to retire. It’s used so often that Red Bull even uses it as the premise for one of its most popular commercials. It’s the idea that, if you’re better than your industry peers, you’re less likely to fall victim to a cyberattack.
It is important to remember that we’re all fighting the same fight: to eliminate or alleviate the cybersecurity risks that lurk not only in specific industries but across all organizations. We need to work together, not against one another, for the greater good – and a risk-based vulnerability management program is a step in the right direction. Even auditors and cyber insurers are recognizing this shift towards risk-based programs to steer security programs towards maturity.
With these four realities addressed, there’s no better time to get started. Focus your attention on high-risk vulnerabilities, use risk scores to communicate business risk, shrink the gap between IT and business, and work together to make the shift to a risk-based vulnerability management program a reality for your organization.
Overview
Supply chain security, vendor risk management, third-party security. Each of these synonymous cybersecurity terms has become widely used, thanks to the increase in the exploitation of threat vectors from outside of an organization.
So, what can software vendors and third-party technology partners do to ensure they don’t become the weak link in the supply chain?
In this webinar you’ll get two different viewpoints on supply chain security from two NetSPI team members, Field CISO, Nabil Hannan, who will explore the topic from the software development perspective, and Managing Director, Chad Peterson, who will approach it from a business risk perspective.
- Their differing views on supply chain security
- The anatomy of a supply chain attack
- Considerations and best practices for securing the supply chain
- How vendors can get proactive to show potential partners that they are NOT the weakest link
- The future of supply chain security
Key highlights:
- 1:27 – Defining the supply chain
- 2:54 – Supply chain and risk
- 5:15 – Anatomy of a supply chain attack
- 14:50 – Proactive measures to protect against supply chain attacks
- 29:53 – What’s next with supply chain security?
Defining the supply chain
When it comes to supply chain security, it’s important to look at it from two sides – business risk and insider threat.
Business risk includes:
- Critical assets and intellectual property
- Internal risk programs
- Business partners
Insider threat includes:
- Internal software development
- Unique capabilities of the adversary
Supply chain and risk
From a business risk perspective, the supply chain landscape has changed substantially over the years.
Here are some of the key motivators of change:
- Perimeter transparency: Today’s environments extend well beyond the traditional brick and mortar business, with cloud and software as a service and remote work now being the norm.
- Reliance on business partners: Organizations today are relying on partners to support essential pieces of their business, including business processes, infrastructure, and application development.
- Increased attack surface: Outsourcing and the transparency of the perimeter have resulted in a loss of control for internal security teams. Additionally, external and internal environments have become blurred and there’s now an increased emphasis on privileged access.
As a result of this changing landscape, the anatomy of attacks has evolved for many organizations.
Some of the ways in which attacks are changing include:
- Island hopping: Because companies are doing a better job of protecting their own environments, attacks are no longer exclusively focused directly at the organization, but rather within the supply chain. Emerging attack methods include network-based, reverse email, and watering hole attacks.
- External motivations: Organizations are increasingly outsourcing their software development for cost savings and to have additional resources to expedite and accelerate software development. To support this, more software developers are being hired from outside the U.S., which can pose challenges with managing insider threats in the supply chain.
- Internal motivations: It can be challenging for organizations to know for certain that when they hire developers, they’re not malicious and that they’ll truly perform the work they’ve been hired to do. Another related concern is when U.S.-based employees outsource their own software development jobs to developers in China or elsewhere, which can give individuals outside the company access to an organization’s code or other sensitive data. Many organizations don’t have a full picture of what’s happening within their company, which can pose supply chain security risks in the long run.
Traditional malware vs. malicious code
A key piece of effective supply chain security is understanding the differences between traditional malware and malicious code.
- Traditional malware is installed on systems from external sources, usually downloaded through different attack vectors like phishing, and is a result of outside attackers trying to compromise systems at a larger scale, such as sending a phishing email to thousands of people at once, hoping at least someone will click on it.
- Malicious code is code is much more targeted and inserted into software that’s built internally, usually inserted by an internal employee, and looks and feels like regular, non-malicious code. Internal adversaries include different types of employees, such as software developers, administrators or operations team members, and change management team members, all of whom have access to internal systems.
Proactive supply chain security measures
While the supply chain threats that businesses face today are significant, there are some proactive measures organizations can put in place to ensure supply chain security is effective.
Consider the following proactive measures at your organization:
- Security awareness training: Ensure you’re training your staff on security best practices to follow. Have a process in place for the training to be provided to all new employees, as well as an annual refresher training with all employees.
- Policy and standards adherence: Implement organizational policies and standards that are a reflection not only of best practices, but are followed and in line with business processes.
- Vendor management: Assess all new vendors using a risk-based vendor management program. The program should also address retesting vendors in accordance with their identified risk level.
The three proactive measures outlined above are some of the foundational steps your organization can take to elevate your supply chain security. Some of the other critical components to consider bringing in to improve supply chain security include attack surface management, penetration testing, and red team exercises.
What’s next in supply chain security?
When it comes to internal software development and associated risks from a supply chain perspective, the next steps to take after identifying malicious risk are not as simple as some may think. The reason it’s not straightforward is because the typical vulnerability escalation process now includes the adversary, because internal resources are seen as potential threats. As a result, “just fix the vulnerability” isn’t a viable mitigation strategy and organizations need to instead define governance the process and controls around managing malicious code.
Malicious code risk mitigation steps can range from rather benign to very serious and may include:
- Suspicious, but not malicious
- Circle of trust invitation
- Passive monitoring
- Active suppression
- Executive-level event
NetSPI’s supply chain security capabilities
Leading businesses trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect and remediate vulnerabilities.
Learn more about how our Attack Surface Management, penetration testing, and red team testing capabilities can help identify where security gaps exist in your software supply chain. Connect with an expert team member by scheduling a demo today.
[wonderplugin_video iframe="https://youtu.be/xBYMzqZd4eA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => How NOT to be the Weakest Link in the Supply Chain [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-not-to-be-the-weakest-link-in-the-supply-chain [to_ping] => [pinged] => [post_modified] => 2023-09-01 07:05:14 [post_modified_gmt] => 2023-09-01 12:05:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26525 [menu_order] => 45 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 10 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 29990 [post_author] => 108 [post_date] => 2023-04-17 09:00:00 [post_date_gmt] => 2023-04-17 14:00:00 [post_content] =>NetSPI was featured in VMblog's pre-show coverage of the HIMSS conference. Read the preview below or view it online here.
+++
HIMSS (Healthcare Information and Management Systems Society) is one of the largest conferences in the healthcare industry, bringing together industry leaders, experts, and enthusiasts from across the globe. The conference provides a platform for sharing the latest trends, technologies, and best practices in the healthcare IT sector.
The future of Healthcare IT and its impact on the healthcare workforce is going to be a hot topic discussed at HIMSS 2023. The integration of new technologies such as AI, Blockchain, and Telemedicine in healthcare will require a new set of skills and competencies among healthcare workers. HIMSS 2023 will provide a platform for industry leaders and experts to discuss the training and education programs needed to equip the healthcare workforce with the necessary skills to adapt to these changes.
HIMSS 2023 promises to be an exciting event, bringing together healthcare professionals, industry leaders, and enthusiasts to discuss the latest trends and technologies in healthcare IT. The conference will provide a platform for discussing the challenges and opportunities facing the healthcare industry and exploring how new technologies can be leveraged to improve patient outcomes, reduce costs, and enhance the overall quality of care.
Keep reading below as industry experts share their thoughts around the hot topics and trends they expect to hear more about at this year's event.
Chad Peterson, Managing Director, NetSPI
“As ransomware attacks against the healthcare sector rise, it’s critical that organizations ensure they are remaining compliant with HIPAA. Last year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. A key issue is that HIPAA provides little guidance around the best practices to achieve compliance – leaving holes in healthcare organization’s security strategies. An often overlooked solution to this ongoing issue is penetration testing, which addresses the need to map, understand, and close gaps in an organization’s attack surface that could expose electronic protected health information (ePHI). Looking forward, healthcare security and IT teams must take a proactive mindset to HIPAA compliance. Organizations that implement comprehensive pentesting programs into their security programs will achieve better compliance and build resilience in the current threat landscape.”
Continue reading on VMblog: https://vmblog.com/archive/2023/04/17/industry-experts-share-hot-topics-and-trends-for-himss-2023.aspx#.ZD2rhHbMKUn
[post_title] => VMblog: Industry Experts Share Hot Topics and Trends for HIMSS 2023 [post_excerpt] => NetSPI was featured in VMblog's preview of the HIMSS conference. Read the article. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-himss-2023 [to_ping] => [pinged] => [post_modified] => 2023-04-18 13:51:40 [post_modified_gmt] => 2023-04-18 18:51:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29990 [menu_order] => 78 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 10 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => e4a39f7b663dd51e7d0d1f873125a1a6 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )