What infosec pros need to know before conducting a bug bounty program

While more organizations are warming to the concept of paying hackers to discover and report on IT system and network security vulnerabilities, there's still some confusion about the idea.
By Bill Siwicki
01:25 PM
bug bounty program

Hospital information security teams considering a bug bounty program should know a few things before entering the endeavor. 

The phrase bug bounty, for the uninitiated, refers to programs where hackers are paid to detect and report back on network vulnerabilities. 

Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding and fixing vulnerabilities, said David Baker, chief security officer at Bugcrowd, which connects healthcare organizations with security researchers who can help alert them to IT system weaknesses. 

[Also: Nearly a year since WannaCry and all 200 National Health Service trusts failed cybersecurity assessments]

"White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not," said Baker. “By providing them with a way to report these security flaws and offering a reward for doing so, hospitals can benefit from continuous testing while paying only for results.” 

That said, it’s smart to approach infosec work of this sort carefully and structure the program in a way that does not endanger your organization or patient data. 

Granting permission for security researchers to test software and systems, for instance, is a way to receive more vulnerability findings, giving an organization more knowledge and control, and ultimately reducing risk.

[Also: HIMSS Healthcare Security Forum's hottest topics: AI, bug bounty programs, medical device hacks]

Bug bounties can augment in-house security staff, as well as validate in-house security efforts, Baker said, adding that such a  layered approach to security is important.

Baker will be speaking on the subject of bug bounties at the HIMSS Healthcare Security Forum, June 11-12, in San Francisco. 

"For many organizations, running a variety of vulnerability scanners and penetration tests are a general security best practice," he said. "It's also no secret that, no matter how advanced, automation only goes so far – it finds only what it knows. Bug bounties compliment any mature security program, filling the gap left by scanners and exponentially improving the probability of finding results."

Among the current difficulties for healthcare providers is that, with an increasing reliance on disparate cloud-based technologies, data protections and regulation become an even more complex issue to solve, Baker said.

"For an industry that hosts large swaths of confidential data, healthcare is also the most targeted industry, with hackers eager to find any entry point into a system," he said. "Employing the crowd allows IT teams more time to focus efforts on big picture compliance and protection strategy while mitigating the risk of the next big attack."

One of the more notable benefits is that healthcare organizations interested in implementing crowdsourced security solutions don't need to revamp their IT strategy from the bottom up, Baker said, because bug bounty programs essentially complement existing security infrastructure. 

Crowdsourcing solutions give healthcare organizations an additional layer of security by significantly expanding resources, drawing from a global research community that works around the clock.

But as with so many infosec tactics, bug bounty programs are not one-size-fits-all programs. 

"The solutions you choose will depend upon the size of your organization, the type of product you offer, and your market or industry," he explained. "Some multibillion-dollar companies in travel industries, for example, will want a public program, whereas healthcare organizations might be more inclined to run a private program to protect sensitive patient data, meaning that only vetted security researchers with a successful track record are invited to participate."

No matter which solution an organization chooses, security officers need to get buy-in from all executives, Baker added.

"Data security is no longer just a concern for CISOs, CTOs and CIOs," he said. "The groups operating in the dark world of cybercrime are studying new ways to penetrate our systems, so healthcare organizations, too, need to stay ahead of the game by investigating new solutions available."

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.