What is Pen Testing and Why Do You Need It?

IT specialist performing cybersecurity tasks

There has never been a more important time to ensure the security of your healthtech application. With cyber attack frequency increasing daily and patient information at stake, penetration testing is an essential part of a defence-in-depth strategy that can help protect patient data, your reputation and the NHS.

Penetration testing, also known as Pen testing, is a self-inflicted cyberattack against your own computer systems. It usually involves hiring an expert who will try to breach the security of your application with the aim of uncovering vulnerabilities in your mobile apps, web apps, cloud infrastructure and any Internet of Things (IoT) devices that form part of your healthtech innovation.

Only once you know the vulnerabilities that exist in your healthtech innovation, can you start the work to address them. As part of your cyber security strategy, Pen testing gives you invaluable information as to where the weak spots are within your healthtech innovation and it’s essential you know this before hackers do.

Pen testing is, rightly, a very important part of the Digital Technology Assessment Criteria (DTAC). If your systems are secure so are the patient data they hold. And this is a crucial aspect for the NHS to determine that your solution is safe. As per the rest of the DTAC requirements, Pen testing is not a one-off exercise. Pen testing results relate to a specific point in time, or to a particular version of your innovation. Therefore, it’s essential that you run penetration testing as frequently as required given the context of your innovation and your product release life cycle.

A robust Pen test needs to be performed on all of the components that comprise your healthtech innovation, e.g:

  • Web apps
  • Mobile apps
  • Cloud infrastructure
  • Internet of Things (IoT) devices

Only through Pen testing all aspects of your healthtech innovation, and then implementing fixes to any vulnerabilities identified in the Pen test, can you be sure that your application is safe. A comprehensive Pen test will look across all aspects of your innovation and will test against the current Open Web Application Security Project (OWASP) Top 10 and other vulnerability lists. Robust Pen testing will include both black box and white box methods of testing as a minimum to locate vulnerabilities within your healthtech innovation.

Black box testing determines vulnerabilities just like a hacker would, with no inside knowledge of your innovation, whilst white box testing leverages inside knowledge of your infrastructure and applications to uncover the possibility of insider attacks. When used as part of a robust penetration testing methodology, such testing methods bring insight into vulnerabilities that you will need to remedy before you can declare your application safe.

A key part of any Pen testing output is the penetration testing report. And a well-rounded Penetration test report should deliver at least the following information:

  • An executive summary of the findings and ideally a graphical representation of vulnerabilities
  • An outline detailing the scope of the testing that was performed
  • The testing methodology used including a list of tests and test cases
  • The list of vulnerabilities identified
  • A classification of the severity of these vulnerabilities: critical, high, medium, low against the CVSS framework
  • A description of these vulnerabilities including the impact they have
  • A list of recommendations to address these vulnerabilities

At Acorn Compliance we want to grow your understanding of cyber security, provide insight into good practices that can reduce your attack surface release to release and also to aid you in understanding what type of vulnerabilities compromise which areas of DTAC, e.g. data protection or clinical safety. Therefore, our Pen testing outputs also include:

  • Detailed vulnerability dashboard that delivers a birds-eye view of penetration testing results and an understanding of volume of identified vulnerabilities that are fixed
  • Screenshots and video evidence of vulnerabilities we’ve uncovered so that you can replay how an attacker may attempt to breach your cyber defences
  • Details of the business impact and consequences per vulnerability
  • Tailored steps to fix each vulnerability
  • Information on best practices to follow for future releases
  • Access to our qualified security team so that you can ask technical questions and receive expert guidance to help you fix the uncovered vulnerabilities
  • Provision of insight against compliance standards including healthtech specific standards, including: DTAC, HIPAA, ISO 27001, GDPR and SOC 2

The detailed outputs described above combined with support on Technical Security are critical to embed a robust cyber defence strategy and build a culture of compliance for DTAC that covers your entire healthtech innovation. Our Pen testing includes the opportunity to rescan your entire healthtech innovation multiple times to ensure that all identified vulnerabilities have been addressed.

Where appropriate, continuous scanning can also be employed to ensure that you do not introduce further vulnerabilities into your healthtech innovation following the initial Pen test. Continuous scanning as part of a defence in depth strategy for Cyber Security can make the difference between a once-safe system and a continuously safe one.

And as DTAC is not a once and done exercise, it’s critical that you employ a cyber defence strategy that constantly looks to decrease your cyber attack surface release to release.

At Acorn compliance we provide a complete solution -  a one-stop shop - for all your DTAC needs. We can do this given our extensive knowledge and experience across all DTAC domains and with the help of our network of reliable and experienced partners.

If you would like to discuss your Pen testing requirements or find out how we can help you, do not hesitate to get in touch at [email protected]

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.

We hate SPAM. We will never sell your information, for any reason.