Eren Cihangir on cybersecurity risk management in healthcare
Hi Eren, please introduce yourself and your role.
“My name is Eren Cihangir, and I am the US Sales Engineer for Outpost24’s NetSec, AppSec, CloudSec and OffSec solutions. With a diverse background in software development and cybersecurity and a broad knowledge base of cybersecurity best practices, I am able to provide solid advice and recommendations about the most cost-effective solutions for our customers with all levels of InfoSec maturity.”
Who have you looked up to as a career role model?
“Two historical figures come to mind: Nikola Tesla and Bill Gates. Tesla proved that incredible technological feats could be achieved long before the beliefs of his time. Bill Gates demonstrated the power of compatibility, disrupting the IBM proprietary model and leading the industry to the philosophy of availability for all.”
What is Outpost24?
“The Outpost24 group is pioneering cyber risk management with a unified solution to identify vulnerabilities, monitor external threats and reduce the attack surface with speed and confidence.”
Tell us about web application attacks in healthcare.
“Web application attacks on the healthcare industry have been on the rise, with Outpost24’s Web Application Security for Pharma and Healthcare Report revealing that US healthcare organisations run a total of 6,069 web applications over 2,197 domains with 23.74% running on vulnerable components. Additionally, US healthcare organisations have a larger attack surface with an average risk exposure score of 40.5 compared to an average score of 32.79 for EU healthcare providers.”
Why do you think these attacks are on the rise?
“There are several reasons, but the most likely is that web applications themselves are on the rise, with a greater number of patient portals, EHR systems and telehealth platforms. This combined with poor security - such as inferior authentication - has created an opportunity for cybercriminals to take advantage of vulnerabilities in healthcare environments to carry out attacks.”
What did you think of Verizon’s Data Breach Investigations Report?
“Verizon’s 2022 Data Breach Investigations Report’s findings were in line with our findings at Outpost24. Verizon’s report found that web application attacks now account for 76% of breaches in healthcare, which coincides with our report showing the rise in these types of attacks. It is further confirmation that healthcare organisations need to take measures to secure external web applications in their environments.”
How can healthcare organisations balance web application needs with security?
“Web applications offer improved patient experiences and ease of communication for hospitals and healthcare providers. However, failing to secure them can leave healthcare providers and their patients vulnerable to costly - and even dangerous - cyberattacks. There are a few things healthcare organisations can do to improve security:
- Improving password and login security is a simple way to make a big difference in web application security, with stolen credentials at the centre of many of these attacks. Healthcare providers should put strong password guidelines in place and implement multi-factor authentication for all web applications.
- Additionally, it is critical to take inventory of all web applications. With the rapid proliferation of web applications – with the average enterprise running and managing around 464 custom applications - many organisations do not even have an accurate understanding of all of the web applications in their environment, and it’s very hard to secure something that you don’t even know is there.
- Take note of active VPN services. Many of these applications can run with outdated technology, leading to vulnerabilities that can be exploited to break past the firewall and other security measures.
- Finally, healthcare organisations need to implement strong and continuous penetration testing solutions that allow their IT teams to understand and address issues quickly and efficiently as their web application attack surface evolves.”
Typically, why are healthcare applications ‘critically exposed’?
“The ‘critically exposed’ status of healthcare applications is a part of a wider issue with web applications. Without strong authentication requirements (such as MFA) and a full understanding of the applications in your publicly-exposed infrastructure, they may be left exposed. However, in healthcare, the issue has ballooned because of the rapid proliferation of ransomware targeting insecure web apps and services.”
What do the next 12 months hold for you and the company?
“As a company, we are striving to help our customers become more resilient and prepared for the evolving threat landscape by helping them understand their attack surface and vulnerabilities. As the landscape changes – driven by remote and hybrid work, increased nation-state activity and cyber warfare, ransomware, and other trends – our goal is to continue to evolve to better prepare our customers to combat cyber threats.”