Managed Care Systems Inc. (MCSI) may be a small business but it plays a vital role in the complex ecosystem of the United States’ healthcare sector. For over 20 years it has been providing industry-leading automated health claim software designed to put the management and implementation of business processes into the hands of expert end users. MCSI’s flagship Visova offering automates claims processing, enrollment, cost containment, and other benefit management procedures for some of the largest claims handling organizations in the country.
• MCSI wanted to test the ability of their back end, role-based access controls to curb attempts to elevate privileges.
• MCSI needed an official way to inform clients and regulators on the security and integrity of their systems, while also satisfying HIPAA standards with a third-party evaluation.
• The Rapid7 team guided MCSI through recommendations and functional areas to focus on for a role-based pen test.
• At the end, MCSI was able to leverage Rapid7’s “highly actionable and specific” report to create internal tickets that resulted in quick vulnerability resolution.
MCSI and the entire healthcare ecosystem are facing unprecedented security challenges from cybercriminals and nation state spies. Attacks often come about via partner organizations, which may be viewed as a relatively unsecured gateway or “stepping stone” to the data and systems attackers are looking to target.
MCSI’s current setup dates back to 2007, when the firm retooled with a more scalable, flexible, and configurable web-based front end delivered mainly through Apache, to better serve the business. However, CIO Scott Vanderluit and his team were keenly aware of the security challenges of controlling access to back-end systems, especially given the variety of users logging in from different environments. These users generally fell into two categories: “provider” and “patient” roles that weren’t part of the enterprise using the system but still needed to access the MCSI application to check claim status, ask for address changes, etc.; and enterprise-class users over which the IT team had more control.
“We wanted to make sure these world-facing user roles could log in and not elevate privileges, and we wanted to make sure someone who’s a little bit more controlled can also authenticate without elevating privileges,” explains Vanderluit.
Penetration testing was flagged as an important step, to reassure current and future clients as to the security and integrity of the system, as well as regulators. Additional, Vanderluit also states, “It’s pretty standard HIPAA practice to have various parts of security policy and procedures validated by an external, disinterested third party.”
Once that decision had been made, Vanderluit evaluated a number of providers, conducting extensive research that included trips to the DEF CON hacking conference and joining his local OWASP chapter. His various leads kept pointing back to Rapid7 as an industry leader in pen testing.
“[Rapid7 is] definitely writing the books on a lot of things,” he says. “So I thought, here’s a stateof-the-art, world-class organization, and it would be hard to argue with their position in the market. We wanted the name recognition, especially for our first big pen test.”
Collaboration and communication are paramount on a project like this, according to Robert Gormley, MCSI systems administrator. He wanted to concentrate testing on the ability of MCSI’s back end, role-based access controls to curb attempts to elevate privileges for the two defined user types. Rapid7 was on hand from the very start to support MCSI in this, as well as to offer guidance on the scope and length of the engagement and the functional areas to focus the testing on.
Throughout the pen test process, Gormley was particularly impressed with the communication between teams. He says the Rapid7 team provided a list of requirements explaining where new users needed to be created, as well as detailed information at the beginning and end of each working day to ensure the MCSI was fully briefed and up-to-date on the pen testing progress. Gormley said that kind of information was vital because it ensured that if an issue did occur, the MCSI team could quickly assess and determine if it was the result of the pen testing or some other activity.
“We gave access to the production system during business hours, which was a risk that we discussed, and it was handled well. We had no outages or problems,” he says. “The whole process and organization of credentials and connectivity, and even the day-to-day communication, was great. We never felt in the dark, and from my perspective that was good to know. That made my life probably about as easy as I could imagine that whole process being.”
Gormley was also impressed with the “cautionary notes” Rapid7 filed asking for further direction (e.g. whether to continue exploiting any discovered critical vulnerabilities or to stop and wait for further instructions). This minimized any unwanted surprises during the process and “really reassured us we’d made a good choice,” says Gormley.
The resulting pen test report highlighted actionable items for Gormley and his team, providing a granular level of detail into resolutions, further resources, discussion points, and advice to help them prioritize that list, he says. Most of the exploits discovered were application-specific and could be easily shared with developers to resolve.
“From my perspective, the reporting was highly actionable and very specific, and that was important for me because I didn’t want to spend time pulling it apart,” says Gormley “We could take the report and effectively turn it into job tickets in our system, bullet point by bullet point.”
In the future, CIO Vanderluit is open to exploring additional Rapid7 toolsets which could help the company’s security requirements going forward. He’s also keen to get the Rapid7 team back in to appraise MCSI systems in another engagement focusing on containers and systems administration.