Healthcare News
Articles, Jobs and Consultants for the Healthcare Professional
Kevin Villanueva, Partner, Moss Adams Jon King, Manager, Cybersecurity Consulting Services

Is Your Organization Vulnerable to Cyberattacks? Find Out with a Red Team Penetration Assessment

By Kevin Villanueva
Partner, Moss Adams
By John King
Manager, Cybersecurity Consulting Services, Moss Adams

See all this Month's Articles

Original Publish Date: November 6, 2018

Viruses, data breaches, and hacking can result in more than just financial loss-they can jeopardize decades-long relationships and cause irreparable reputational damage.

As the frequency and strength of cyberattacks continues to evolve, organizations need to find innovative ways to prevent breaches and safeguard their most sensitive data. One effective method is to partake in a penetration assessment that’s tailored to their specific needs-testing their unique combination of systems, controls, and processes.

Before a hack or cyberattack occurs, a red team penetration assessment-which enables cybersecurity professionals to approach your system from a hacker’s viewpoint-can help management teams identify system weaknesses and develop confidence in their ability to protect their most valuable assets.


The world’s leading information technology research and advisory company, Gartner, forecasted in December 2017 that worldwide security spending will reach $96 billion in 2018. At the same time, regulators at state and national levels are creating new laws and standards to help protect customer data and other sensitive information.

With those laws, regulators have started asking hard questions about vulnerabilities to data breaches, cybersecurity risks, and hacking-which organizations will need to answer to remain compliant.

While the red team assessment originated outside the field of cybersecurity, the process of having a team of mock-hackers infiltrate an organization’s systems during a simulated breach has become a supported practice for analyzing and addressing weaknesses in internal controls. Commonly referred to as offensive security, the red team assessment is an effective way to stay in compliance with developing regulations.

Addressing Regulator Demands

Increasingly, regulatory bodies and industry associations are focusing their efforts on protecting sensitive data through creating and enforcing information security and privacy laws.

Many industries are subject to multiple regulators, making it challenging to stay current with ongoing changes that are based on varying requirements. A hospital, for example, is likely subject to all of the following regulators, each with specific criteria for cyberthreat management:

This list doesn’t account for the state in which the hospital is located, which will also have data transmission regulations.

In order to address regulator demands, leaders should consider testing their cyberthreat resiliency using real-world scenarios and simulations.

Testing Your System

The best way for businesses to be certain that their people, processes, and systems can withstand a cyberattack is to invite the hack in a controlled environment. There’s risk when considering this type of undertaking, but significantly less than the risk of a genuine threat where data is hijacked for ransom.

In the controlled environment, you decide what you want to test: people, processes, systems-or all three. A scalable cybersecurity red team assessment is created based on what you want to assess and the data or systems you want targeted.

A test of overall incident response capabilities provides compliance evidence for regulators and learning opportunities for business-process owners. The simultaneous attacks use various methods-including phishing, phone-based impersonation and social engineering, and physical site breach-to help the organization gauge its ability to manage, detect, and respond to a threat.

For the simulation to be useful in preventing future threats, the modeled attacks must use the most current, pervasive, and successful hacking methods.


Penetration testing is suited to any business that wants to assess its vulnerability before experiencing a breach. The procedure allows consultants to review the organization’s incident response procedures and provide management with evidence of how long systems and personnel took to detect and respond to the breach as well as what steps were taken to detect, respond, and recover from an attack.

Tests will address a series of questions, including the following:


After the red team assessment, you’ll receive a report of the results with the following information:

Penetration testing can also help determine the feasibility and business impact of an attack, which could result from any of the following factors:


Under no circumstances should a red team assessment be performed by anyone but a trusted advisor. If you wouldn’t ordinarily trust them with access to your sensitive data, you should seek an alternative method for assessing the strength of your controls.

There’s also the risk that conducting a red team assessment will uncover significant gaps in your cybersecurity protocols, which you may then be obligated to address both quickly and comprehensively.

The rub is that without the testing, you can’t identify the gaps.

Phishing for a Financial Institution

As part of a full security assessment, ABC Bank (name withheld), subject to the regulations of the Federal Reserve Bank and the Federal Deposit Insurance Corporation, among others, submitted the bank to a red team assessment. They received a thorough and customized external vulnerability assessment, penetration test, and social engineering assessment, with the goal of validating the effectiveness of their cybersecurity controls and incident response procedures.

The approach included reconnaissance of the bank’s digital footprint, a combination of spear phishing and CEO-fraud emails (also known as whaling), accessing physical sites, and phone calls to gain access to sensitive data. This scenario simulated the approach of an attacker with knowledge of the organization.

Applying multiple threat vectors assumes penetration attempts are likely to involve more than one or two methods per attack and provides a more comprehensive approach to threat detection.


During the course of the testing, a branch location was accessed and an inconspicuous device was connected to the network. However, while the device provided internet access to the network and bypassed the bank’s network firewalls and intrusion prevention systems, the bank’s detective controls identified the device before unauthorized data access could occur. The bank's internal processes for incident response resulted in loss of access before a permanent presence was established.

Following the assessment, the red team providers supplied a detailed report to senior management, the board of directors, and regulatory bodies, addressing the following points:

The report provided evidence of the bank’s ability to detect, respond to, and recover from an advanced malicious attack. It also provided clear, actionable recommendations for improving the bank’s security posture and processes.

For more information on improving your cybersecurity strategy, see our Insight about improving cybersecurity and protecting your organization.

Get Only What You Need

Service options are best when they’re scalable or specific to your business. A full security assessment isn’t right for every organization. Whether experiencing budget constraints or establishing confidence around new or updated business approaches, there are many reasons not to receive a full assessment.

In these circumstances, your organization may instead benefit from an offensive security assessment such as:

Next Steps

Whether you’re responding to demands from a regulatory body, board of directors, or other stakeholders, you have options for establishing confidence that your people, processes, and systems are able to protect your most sensitive assets in the face of a genuine threat.

Kevin Villanueva has been in in the IT field since 1997. He focuses on IT security assessments, penetration testing, HIPAA compliance audits, and strategic technology planning. He can be reached at (206) 302-6542 or

Jon King is a manager with the IT Auditing & Consulting Practice. He has more than 12 years of experience managing technical infrastructure systems and advising senior leadership on security policy and practices. He can be reached at (949) 221-4062 or