Cybersecurity impacts business risk, patient safety, & privacy
Cyber Security Assessments (CSA)We conduct adversarial-based assessments designed to find holes in your defenses, demonstrate their potential business impact, and show you how to close them.
Web Application Security Assessments (WASA)Our testing team will provide a current snapshot of the security posture of specific website(s). Our goal is to identify, contain, and remediate any exploitable vulnerabilities that can be fixed before an attacker can discover and utilize them for further attack.
Product Security Assessments (PSA)Using a range of unique penetration testing tools for testing connected devices, Tangible's product security testing mimics real-world hacking tactics and techniques that uncover hidden vulnerabilities in your device or application and provide realistic insights and practical results.
Remote Access Security Assessments (RASA)Tangible Security will assess the implementation of systems and procedures that have been deployed for your growing remote workforce in order to identify weaknesses that put your information at risk, provide recommendations to remediate those risks, and provide piece of mind that organizations are protecting both their sensitive data as well as the data of their clients.
Security Program Assessments (SPA)Using standards such as NIST, ISO, and COBIT as a starting framework, Tangible will work with you to examine the quality and effectiveness of your program, identify and understand weaknesses and vulnerabilities, and evaluate your readiness to defend and respond to today’s cyber threats.
Virtual Cyber Security Office (vCSO)Clients receive fixed number of consulting hours per month with seasoned executives and technical specialists to help assess, prioritize, plan, and/or execute their security program.
Security Awareness TrainingWe help transform your employees from unwitting targets to human firewalls. They become obstacles to hackers rather than conduits. The initial testing, training, and ongoing testing combine to not only elevate your users’ preparedness but sustain and institutionalize it.
SDLC ServicesWe help clients overcome the challenges of implementing secure development lifecycle (SDLC) best practices as well as provide professional services that supplement your development teams with hard-to-find special skills and 3rd party independent reviews.
Cyber crime & digital complexities
elevate patient safety & privacy issues to ever higher risk levels
Patient electronic health records are worth ten times more than credit card numbers
Ransomeware extortionists are targeting healthcare providers
IT & Operational Security
Complexity, scale, and constant-change amplify cyber risks for interconnected healthcare systems.
Skilled and experienced cybersecurity personnel are scarce and costly
Healthcare cybersecurity programs are complex
Seemingly avoidable data breach causes continue to plague the industry
Mobility in healthcare increases attack surface
Identification, containment, & response to incidents must be rapid and decisive
Patient safety, privacy, & data security are often at odds
Ongoing infrastructure tests to identify vulnerabilities seldom find nothing
IoT & ICS Security
Network-connected medical devices deployed in clinical environments greatly increase the attack surface.
Medical device manufacturers need to add security testing into development lifecycle
Hospitals need to identify vulnerabilities of connected devices
Responsibility falls on both the device manufacturer and the healthcare providers
Hospitals are subject to ICS and SCADA mandates
Providers must ensure security throughout their supply chain
Regulatory Requirements and Mandates
Regulations as well as legal and financial penalties never seem to stop evolving.
HIPAA mandates that providers maintain adequate and up-to-date risk assessments
The entire supply chain of business associates & suppliers falls under OmniBus Rule
The HITECH Act mandates timely reporting of protected health information (PHI) breaches of 500 records or more
Compliance does not equate to security
Failure to comply with HIPAA and PCI requirements results in fines, legal entanglements, loss of patient trust, & more
The FDA views cybersecurity risks just as seriously as defective product risks
The Threats and Consequences are Real
Anthem — 78.8 million records — February 4, 2015 — Unauthorized database access, attacks may be linked to a state-sponsored attack out of China
Anchorage Community Mental Health Services (ACMHS) — December 2014 — 2,743 records — $150,000 fine — Due to malware compromising the security of its information technology resources, failing to regularly implement available patches and for running outdated, unsupported software
New York Presbyterian Hospital and Columbia University — May 2014 — 6,800 records — $4.8 million fine — Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google
Premera — 11 million records — January 29, 2015 — Attacks may be linked to a state-sponsored attack out of China
Parkview Health System, Inc. — June 2014 — 5,000 to 8,000 records — $800,000 fine — Cardboard boxes of these medical records left unattended on the driveway of a physician’s home
Concentra Health Services — April 2014 — 870 records — $1.73 million fine — Failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases