HEALTHCARE SECURITY FORUM: A HIMSS EVENT
San Francisco, CA - June 11 - 12, 2018
By Bill Siwicki
Hospital information security teams considering a bug bounty program should know a few things before entering the endeavor.
The phrase bug bounty, for the uninitiated, refers to programs where hackers are paid to detect and report back on network vulnerabilities.
Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding and fixing vulnerabilities, said David Baker, chief security officer at Bugcrowd, which connects healthcare organizations with security researchers who can help alert them to IT system weaknesses.
"White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not," said Baker. “By providing them with a way to report these security flaws and offering a reward for doing so, hospitals can benefit from continuous testing while paying only for results.”
That said, it’s smart to approach infosec work of this sort carefully and structure the program in a way that does not endanger your organization or patient data.
Granting permission for security researchers to test software and systems, for instance, is a way to receive more vulnerability findings, giving an organization more knowledge and control, and ultimately reducing risk.
Bug bounties can augment in-house security staff, as well as validate in-house security efforts, Baker said, adding that such a layered approach to security is important.
Baker will be speaking on the subject of bug bounties at the HIMSS Healthcare Security Forum, June 11-12, in San Francisco.