How Bug Bounty Programs can Help Improve the Hospital Security
Overview
Healthcare security teams are under extreme pressure to protect their surroundings from an increasing number of threats.
Teams are frequently understaffed, constantly catching up with an onslaught of threats and vulnerabilities, and asked to secure legacy devices dating back to the 1990s — all while assisting other innovative health system teams who are raising the bar when it comes to architecting data analytics solutions and developing patient facing applications to provide a customer friendly healthcare experience.
There just aren’t enough hours in a day, or even a year, to do everything. In this case, adding bug reward programs may pay benefits in terms of reducing the strain and maximizing the output in security monitoring.
When properly designed, a bug bounty program may successfully crowdsource security research and testing services to assist in the discovery of real-world exploitable vulnerabilities. In a nutshell, the program offers a concentrated and scoped chance for researchers to try to identify exploitable security flaws.
Some of these chances include a reward system that incentivizes researchers with rankings, swag, or payments ranging from several hundred to several thousand dollars. Although uncommon, some bounties pay up to a million dollars.
A Bug Reward Program Is Not The Same As A Vulnerability Program…
A bug bounty program is not the same as a vulnerability program, which focuses on known flaws that can be fixed or resolved. While these types of known vulnerabilities may be eligible for a bug reward, a security program should already have scanning tools to discover and address these kinds of flaws.
However, there is a benefit in using the bug bounty community to uncover these difficult-to-find vulnerabilities, such as log4j, which are often beyond the capabilities of a standard vulnerability scanner.
A bug bounty program is also not the same as a penetration test, which is often limited by both time and the purpose of a system breach. While a penetration test and a bug bounty program can overlap in many ways, the key difference is that a bug bounty hunter or researcher is typically only paid when a bug is discovered, validated, and reported in accordance with the guidelines of the bug bounty program, whereas a pentester is generally paid regardless of findings.
Risks Associated With Bug Bounty Programs
There are several obstacles connected with conducting a bug bounty program, and most of them are related to scoping. Here are some of the most common snafus.
Improper target selection. Failure to scope the bug prize restrictions can result in researchers testing everything, which might have operational consequences and possibly have an influence on patient care. A researcher testing a live patient portal, removing a vital interface to patient care, or targeting a third-party product are all examples of this. It is a great practice to set up an isolated network or test environment when launching a bug bounty program.
Inadequate vulnerability scoping. Failure to scope the sorts of reportable vulnerabilities will result in poor quality reporting, fast overwhelming the security team, and being unproductive. It is recommended practice to list all out-of-scope vulnerabilities (there are various lists available) and only accept issues that are exploitable with working samples.
Inadequate researcher access scaling. Starting a bug bounty program follows the crawl, walk, run principle. If the doors are opened too wide and too quickly, there will be several repetitive reports, which will harm the program’s credibility. This is one of the key reasons why it is beneficial to outsource the software at first and then bring it in-house after some time.
Case Studies For Bug Bounty Programs
While there are hazards, there are several fantastic ways that bug bounty schemes may assist healthcare solution providers to give value:
Mobile applications for patients. Patient-facing applications are fantastic prospects for bug bounty testing, whether you are an app supplier or a healthcare firm with a development team. APIs are a major vulnerability for many mobile applications, therefore creating a test environment with a test application and allowing researchers access will assist verify that these mobile apps stay safe.
Web-based apps. The majority of bug bounty schemes revolve around a web application. Many of them are for-profit online apps marketed to clients, although the same flaws occur in custom-programmed applications produced by marketing and research teams.
Choosing a third-party vendor. Bug reward schemes are not only useful internally, but they may also be employed as part of a security evaluation process. If a solution provider has a bug bounty program, it shows trust in their program. Also, it suggests that the product has an established continual crowdsourcing susceptible detection and repair procedure. Furthermore, if your security staff have the necessary abilities, it provides them with a target for doing their own security tests.
Examples Of Bug Bounties
I hope you’re thinking about how a bug bounty program may help your security program at this time. But you’re undoubtedly thinking about whether it’s worth your time and effort. Here are a few vulnerabilities that I have personally uncovered in healthcare business related apps to demonstrate the benefit.
Persistent XSS Injection into the Telemedicine Application’s Admin Portal. A P2 level flaw would have given a malicious actor complete administrator access to a target’s telemedicine program.
Unauthorized Patient/Provider Create/Update/Delete Access in Web-Based EMR. P2 level flaw that might be exploited to access patient data housed on the EMR system by other companies.
Unauthorized Prescription Creation/Viewing at an online pharmacy. P2 level flaw that might be used to introduce medications into other online pharmacy customers.
Access the Call Center Server as root. P1 level vulnerability that might be exploited to acquire root access to the target server, allowing complete control over the whole program.
The takeover of an Encrypted Email Solution using SAML Injection. P1 flaw inserts SAML settings, allowing a malicious actor to take over the authentication mechanism and complete site control of an encrypted email system.
Conclusion
While creating a bug bounty program requires some preparation and administration, there is little question that utilizing the thousands of researchers that actively engage in these programs can help your security program improve.
Even if your business isn’t ready for crowdsourced security examination, chances are some of your solution suppliers are, and it may just take a little nudge to convince them to use one to improve security throughout the healthcare sector one bug at a time.
References
Bug Zero is a bug bounty, crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.
Bug Zero is available for both hackers and organizations.
For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.
