Every action is accompanied by information, even in the healthcare sector

Dichterbij employs 4500 healthcare professionals across 67 day care locations and 940 residential locations for individuals with physical or intellectual disabilities. As the Chief Information Security Officer, Patrick Thijssen is responsible for ensuring the availability, integrity, and confidentiality of information.

"A significant amount of sensitive information is handled within Dichterbij, such as all the patient data we possess. I often joke that if someone within the organization can name a process where information is not used, they will receive a prize."

It may be tempting to think that everyone should have access to all that information within an organization. However, that is exactly what shouldn’t be done. Patrick believes it is essential to explain to employees why they may not always have access to certain information and that access is dependent on their role within the organization. Fortunately, they usually understand. As the CISO of Dichterbij, his role has a significant human aspect.

Honeypot for Cybercriminals

To foster knowledge sharing, a considerable amount of information is exchanged among colleagues, ranging from tips and tricks to onboarding protocols. However, both Patrick and the Dichterbij board recognized the risks associated with this practice. They decided to consolidate this information and store it in a centralized location. They opted for a solution provided by an external party, which stores the information in a central cloud and grants access through personal IDs.

Although this initially appears to be safer, Patrick saw a significant risk: "From a small chance of a small-scale data breach on one mobile device, there is now a greater chance of problems because anyone with malicious intent can access all the data." It's as if you collect all the watches, wallets, and car keys from your sports team in a bag and leave it in an unlocked locker room.

As an organization, blindly trusting your external software or application provider is not advisable. Since the application provider Dichterbij collaborated with couldn't answer all security-related questions about the cloud platform, Patrick decided to have the system undergo a penetration test. Through his network, he came across Martijn Baalman from Hacksclusive. He presented him with a specific question: "If we get hacked, we have a problem. So, I want to know what can go wrong so that I can prevent it."

Organizational versus Technical Risk

“To get the most out of a penetration test, it is important for an organization to have a clear understanding of what constitutes an organizational risk and what constitutes a technical risk. This means that Hacksclusive identified some vulnerabilities that are technically unsafe but pose virtually no organizational risk to Dichterbij."

Consequently, Hacksclusive and Dichterbij compiled a list of findings, categorizing action items based on high or low levels of risk. This list was ultimately shared with the application provider, who then began resolving the vulnerabilities. One advantage of working with Hacksclusive is that within the dashboard, each item can be tracked, indicating the steps taken to address it. "The provider’s developers also have access to the dashboard. They fix a problem and report back to Hacksclusive, who can then verify if it has indeed been resolved. For us, the Hacksclusive dashboard also serves as a project management tool. Additionally, this environment acts as an archive, allowing us to demonstrate how we addressed vulnerabilities at a later stage."

The ‘necessity’ of speed

When installing a new application, the goal is to be able to start using it as quickly as possible. However, speed is not relevant in a penetration test, according to Patrick. He says, 'Although Hacksclusive can operate swiftly thanks to their cloud platform, speed is not important in this context unless you have an urgent issue.'

"Thoroughness is the most important aspect. Thanks to Hacksclusive's creative approach to penetration testing, they uncovered a vulnerability that was completely outside the agreed scope. In addition, we find traceability to be very valuable. If we overlook something while addressing vulnerabilities and still get hacked, I can at least demonstrate that we looked into it. That we made an effort to prevent damage."

Safely share sensitive findings amongst coworkers

In the same vein that Dichterbij appreciates the many advantages of a cloud-based system for their employees. Patrick notes that this work process is also reflected in Hacksclusive's penetration testing processes." Previously, pentest reports were shared via email, but now all interim findings and reports are securely placed in a cloud environment. Team members have their own accounts in the online environment and can safely view the data.

When asked about the greatest advantages of Hacksclusive, Patrick is clear: "The cloud based platform with centralized information is an absolute unique selling proposition of Hacksclusive. Both the ethical hackers from Hacksclusive and the software developers are closely involved. The findings from Hacksclusive are submitted as tickets to the engineers, who can work through the list of findings in a clear and organized manner."

As a final tip for other healthcare organizations, Patrick suggests, "Establish ownership of information and describe what ownership means for your company. And then critically evaluate which information you share with whom and why. It is unnecessary, and rather risky, to give everyone in an organization access to all available information."

This case was written in collaboration Dichterbij.