Pentesting to Safeguard PHI for a SaaS Provider Serving 9K Pharmacies

About Our Customer

The Customer is a US-based provider of HIPAA-compliant software for pharmacy management serving 9,000+ organizations globally.

Need for a Pentesting Vendor with Expertise in Healthcare Software

Committed to ensuring protection of its clients’ data, the Customer was looking for a reliable vendor to verify the security of its cloud-based digital platform for pharmacy-patient engagement. Trusting our combined expertise in healthcare IT and cybersecurity, the Customer turned to ScienceSoft for security testing.

Pentesting Revealed Risks to Patient Record Security

ScienceSoft’s experts conducted security testing of the Customer’s patient engagement solution following the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology. They started by using open-source intelligence (OSINT) techniques: acting as a hacker who has no prior knowledge of the target, our pentesters investigated publicly available services, applications, and ports serving the solution. They gathered information like domain names and IP ranges, identified potential threats, and prioritized possible attack vectors and scenarios.

ScienceSoft’s pentesters followed up with a vulnerability assessment: using automated tools and manual analysis, they checked 106 IP addresses, 23 ELB domain names, and 8 API endpoints.

In the subsequent black box pentest, ScienceSoft explored the likelihood and potential impact of the exploitation of the found security gaps. As a result, they discovered 13 vulnerabilities, of which there were four high-severity and two medium-severity issues. The weaknesses included unauthorized access to sensitive information, security misconfigurations, cryptographic flaws, and outdated and vulnerable software versions. To seal these and other security gaps, ScienceSoft suggested corrective measures, such as:

• Classifying sensitive, personally identifiable (PII), and protected health information (PHI) stored and processed by the servers, enforcing strong access control mechanisms, and disabling directory listing to prevent data breaches.
• Restricting access to the resources intended for internal use via VPN, proxy, or jump host.
• Enforcing TLS 1.2 and TLS 1.3 and disabling outdated and insecure cryptographic protocols (SSLv3, TLS 1.0, and TLS 1.1).
• Updating the outdated and vulnerable software to the latest version to mitigate the risk of confidential information disclosure and command injection, cross-site scripting (XSS), man-in-the-middle (MITM), denial of service (DoS), and other attacks.

Prompt Detection and Remediation of Severe Security Issues

ScienceSoft performed black box pentesting of 106 IP addresses, 23 ELB domain names, and 8 API endpoints of a digital patient engagement platform in just five business days. The Customer received a comprehensive report detailing the testing activities, remediation advice, and vulnerabilities assessed and classified according to OWASP TOP 10, OWASP API TOP 10, and NIST CVSS. Guided by our remediation recommendations, the Customer fortified the security of its IT assets and sensitive data, which our pentesters confirmed during a quick retest round.

Technologies and Tools

Nessus, Burp Suite, Acunetix, Postman, Nikto, SSLScan, DirB, KiteRunner, Nmap, Netcat, Ffuf, PuTTY, Python, C, Perl.