Securing Patient Data and Safety,
Making Regulatory Compliance Easier
Cybersecurity impacts business risk, patient safety, & privacy
Remote Access Security AssessmentsTangible Security will assess the implementation of systems and procedures deployed for your growing remote workforce to identify weaknesses, provide recommendations to remediate those risks, and provide peace of mind that organizations are protecting both their data as well as the data of their clients.
Product Security Services
Mobile Application Security AssessmentsTangible Security provides a thorough look into the security of your Andriod or iOS mobile applications – ensuring that risks are identified, and your data is safe. Tangible will identify, contain, and remediate vulnerabilities before an attacker can discover and exploit them.
Web Application Security AssessmentsOur testing team will provide a current snapshot of the security posture of specific website(s). Our goal is to identify, contain, and remediate any exploitable vulnerabilities that can be fixed before an attacker can discover and utilize them for further attack.
Product Security AssessmentsUsing a range of unique penetration testing tools for testing connected devices, Tangible's product security testing mimics real-world hacking tactics and techniques that uncover hidden vulnerabilities in your device or application and provide realistic insights and practical results.
SDLC ServicesWe help clients overcome the challenges of implementing secure development lifecycle (SDLC) best practices as well as provide professional services that supplement your development teams with hard-to-find special skills and 3rd party independent reviews.
Security Program AssessmentsUsing standards such as NIST, ISO, and COBIT as a starting framework, Tangible will work with you to examine the quality and effectiveness of your program, identify and understand weaknesses and vulnerabilities, and evaluate your readiness to defend and respond to today’s cyber threats.
Security Awareness TrainingWe help transform your employees from unwitting targets to human firewalls. They become obstacles to hackers rather than conduits. The initial testing, training, and ongoing testing combine to not only elevate your users’ preparedness but sustain and institutionalize it.
Virtual Cybersecurity Office (vCSO)Clients receive fixed number of consulting hours per month with seasoned executives and technical specialists to help assess, prioritize, plan, and/or execute their security program.
ProV SoftwareSoftware that auto-provisions (and de-provisions) Active Directory user accounts for people with trusted smart cards so they can instantly get to work within your Windows network.
Cybercrime & digital complexities
elevate patient safety & privacy issues to ever higher risk levels
Patient electronic health records are worth ten times more than credit card numbers
Ransomeware extortionists are targeting healthcare providers
IT & Operational Security
Complexity, scale, and constant-change amplify cyber risks for interconnected healthcare systems.
Skilled and experienced cybersecurity personnel are scarce and costly
Healthcare cybersecurity programs are complex
Seemingly avoidable data breach causes continue to plague the industry
Mobility in healthcare increases attack surface
Identification, containment, & response to incidents must be rapid and decisive
Patient safety, privacy, & data security are often at odds
Ongoing infrastructure tests to identify vulnerabilities seldom find nothing
IoT & ICS Security
Network-connected medical devices deployed in clinical environments greatly increase the attack surface.
Medical device manufacturers need to add security testing into development lifecycle
Hospitals need to identify vulnerabilities of connected devices
Responsibility falls on both the device manufacturer and the healthcare providers
Hospitals are subject to ICS and SCADA mandates
Providers must ensure security throughout their supply chain
Regulatory Requirements and Mandates
Regulations as well as legal and financial penalties never seem to stop evolving.
HIPAA mandates that providers maintain adequate and up-to-date risk assessments
The entire supply chain of business associates & suppliers falls under OmniBus Rule
The HITECH Act mandates timely reporting of protected health information (PHI) breaches of 500 records or more
Compliance does not equate to security
Failure to comply with HIPAA and PCI requirements results in fines, legal entanglements, loss of patient trust, & more
The FDA views cybersecurity risks just as seriously as defective product risks
The Threats and Consequences are Real
Anthem — 78.8 million records — February 4, 2015 — Unauthorized database access, attacks may be linked to a state-sponsored attack out of China
Anchorage Community Mental Health Services (ACMHS) — December 2014 — 2,743 records — $150,000 fine — Due to malware compromising the security of its information technology resources, failing to regularly implement available patches and for running outdated, unsupported software
New York Presbyterian Hospital and Columbia University — May 2014 — 6,800 records — $4.8 million fine — Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google
Premera — 11 million records — January 29, 2015 — Attacks may be linked to a state-sponsored attack out of China
Parkview Health System, Inc. — June 2014 — 5,000 to 8,000 records — $800,000 fine — Cardboard boxes of these medical records left unattended on the driveway of a physician’s home
Concentra Health Services — April 2014 — 870 records — $1.73 million fine — Failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases