The ABAN Healthcare team is a strong proponent of proactive cybersecurity practices, including offensive security testing, to ensure the security program and controls are operating as intended. ABAN Healthcare had experienced challenges identifying vendors whose expertise testing environments with an element of cloud presence, as well as vendors who aligned well with the Company’s tools and technology.

ABAN Healthcare, CTO said, “It’s very important to us to partner with a provider who is capable of testing our environment in a meaningful way. We’ve worked with vendors in the past who had very rigid, prescriptive and inflexible testing approaches, primarily focused on traditional on- premises controls and facility security. While of course these are important focus points, it’s critical to test threat scenarios considering a largely remote workforce.”

While ABAN Healthcare was not compelled by regulatory requirements to conduct offensive security testing and related exercises, it understood the need to put its programs and controls to the test, to ensure they were functioning as expected in order to sufficiently protect the company.

The Solution

ABAN Healthcare concluded its search for a new Red Team and penetration test partner three years ago when it determined PCI Compliance Services had ticked off its boxes for these activities. Primarily, PCI Compliance Services Red Team operators and penetration testers had strong expertise, as well as not only willingness, but a keen interest in taking proactive steps to advise ABAN Healthcare on how to secure its systems.

Once on the job, the results were immediate. PCI Compliance Services teams went to work conducting cyber-attack simulations, tailored to ABAN Healthcare’s specific environment and threat scenario concerns. The feedback and findings were of high value, providing actionable insight and program improvement measures ABAN Healthcare could take., CTO said.

“A project, either Red Team or penetration test, would begin with a collaborative scoping process and then last about six weeks. During the Red Team or penetration test, the two sides would interact to the extent we as the customer requested, and ABAN Healthcare would, in real-time, address findings as they were reported to us,” CTO said.

Once ABAN Healthcare’s team fixed identified issues, a retest was conducted to make certain the problem was resolved.

“The PCI Compliance Services team has been fantastic in developing very customized testing approaches, tailored to our environment and our platforms. This included building malware and attacks specific to the tools we use.”

A formal wrap-up meeting was held at the conclusion, with the teams going over the final report and ensuring it was aligned with our expectations, CTO said.

“As we’ve grown together, PCI Compliance Services has become intimately familiar with our environment. The process is very collaborative and  transparent: we openly share information about our systems and their usage, our concerns, our known threat vectors. This allows PCI Compliance Services to tailor their approach to our specific environment and tools.”

The Results

ABAN Healthcare’s primary takeaway from its ongoing engagements with PCI Compliance Services is the valuable insight into the ‘unknown’.

“Having external, reputable advise and expertise, as well as having a provider validate what we’ve put in place really gives our program confidence and strength. Independent external validation and vetting is mandatory,” CTO said.

CTO said PCI Compliance Services’ technical expertise and skill set are invaluable.

“Working with PCI Compliance Services has been a night and day experience. First, from a technical proficiency perspective, with their in-depth understanding of both cloud and on-prem environments, but what really sets PCI Compliance Services apart is that they are a partner in the true sense of the word – willing to collaborate and develop a customised approach to meet the needs of our environment,” the CTO said.