Our client, a regional hospital and healthcare provider with multiple small, medium and large facilities, wanted to determine where their facilities, services and information were susceptible to a motivated attacker. The organization had an active information security program, but their leadership wanted a third-party evaluation to be performed. Experis was requested to use a variety of realistic attack methods to assess the adequacy of the security measures without disrupting business or patient services.
The engagement used a tailored version of our proven vulnerability assessment and penetration test methodology to initially probe the defenses of the organization in a covert manner, and then followed those tests with additional methods designed to validate the vulnerabilities discovered and determine the potential risks and impacts if the issues were exploited by attackers. A Rules of Engagement document was developed in cooperation with the client to explicitly define the parameters and scope of each test and the test windows when execution would occur.
Experis assigned a highly-skilled security professional to develop the specific attack scenarios and depth of testing to be conducted for each test and review the plan with the client. Experis executed the initial tests in a covert manner and then followed up with additional focused tests and exploit verification of the discovered weaknesses. In addition to the electronic testing, a phishing test and facilitated walkthroughs of several facilities were conducted to assess the level of employee awareness and review the physical safeguards for additional attack surfaces that could be exploited.
Experis exposed several significant weaknesses in the physical, electronic and behavioral measures used to secure the facilities, internal and external networks, and critical information systems. We provided a report with detailed results and a set of pragmatic recommended actions the client used to address the root causes of each issue. Our recommendations enabled the client to quickly and significantly reduce their levels of business risk and exposure from cyber-attacks.