Network Audit and Vulnerability Assessment for a Northern New England-Based Hospital

Network Audit and Vulnerability Assessment for a Northern New England-Based Hospital

Challenge: Prevent unauthorized access to Hospital information systems, with a focus on securing Protected Health Information (PHI).

Solution: Review the architecture and security design of connected systems, perform a “digital x-ray” of network devices to locate vulnerabilities, and conduct electronic testing of IT security controls. Identify high-risk areas needing immediate attention in an executive report deliverable. Provide subsequent consulting services to guide remedial efforts, with an emphasis on addressing threats to patient care and potential unauthorized access to PHI.

HOW WE HELPED

We performed a network and vulnerability assessment to ascertain if system configuration deficiencies or well-known exploits existed that could be leveraged to gain unauthorized access to data, including Personal Health Information (PHI), or cause a system disruption that could impact patient care. This was accomplished by running a suite of tools that are designed to collect and test the Hospital network-connected devices for security vulnerabilities, and also evaluate the effectiveness of IT controls. While running our scanning tools against the client-designated network devices, our team performed a detailed review of network-connected device configurations to identify deviations from well-established security practices.

Following the in-depth discovery and analysis process, we compiled the results into a consolidated, management-ready report with a prioritized list of recommendations to address the identified pain points. Meeting with senior management to review our findings, we formulated an action plan to address the serious nature of the issues discovered. Some of the more perilous issues found included potentially unauthorized system access, unsecure network devices with access to PHI, applications that may contain unauthorized software such as malware, and application vulnerabilities that could be leveraged to install ransomware. Without the network and vulnerability assessment, the Hospital would not be aware of these numerous critical and potentially exploitable vulnerabilities.

The engagement deliverables consisted of a collaborative meeting with the Hospital’s senior leadership and security team and a prioritized list of findings and recommendations including the need to:

  1. Address significant deficiencies in the user account administration process to prevent unauthorized access,
  2. Improve network device management to prevent data loss,
  3. Update and test the Disaster Recovery Plan to ensure system recovery objectives can be met, and
  4. Rectify the patch management process deficiencies to remedy vulnerabilities that could allow unauthorized access or service disruptions.

Our team provided subsequent consulting services to assist the Hospital’s senior leadership and security team expedite the mitigation of the critical, potentially exploitable vulnerabilities. This work included the development and implementation of a multi-departmental process to grant, remove, and periodically review user accounts and permissions that substantially reduced the risk of unauthorized access. The assessment’s detailed findings are also driving numerous other process and network security improvements that serve to attenuate risk and vulnerability across the enterprise.

Interested in learning more?

Lead Contacts

Patrick Morin

Principal

Pat began at Baker Newman Noyes in 1995 when the firm was founded, having previously been with one of our predecessor organizations since 1988. Pat is a principal of the firm and the director of the risk and business advisory practice.

Ilona Davis

Principal

Ilona has more than twelve years of experience leading and coordinating the daily efforts for audit and consulting projects across numerous industries. She has provided a wide range of advisory services, including regulatory compliance and controls, IT and business risk management, service organization examinations including SOC examinations, IT strategy, system selection, IT security, IT audit, and business process improvement.