Steps to Take
One factor contributing to security issues in web portals is that “most organizations don’t think about the total cost of running the system/application,” says Mark Johnson, a former healthcare CISO and shareholder at consulting firm LBMC Information Security. “Because of that, a newly reported vulnerability may not get patched, or they may be resource constrained and they make ‘risky’ configuration choices – like adding too many support people as system or application admins. Finally, they may not dedicate the resources necessary to monitor these systems as closely.”
Based on what BJC has publicly disclosed about its portal incident, it’s unclear exactly what caused the breach, Johnson says. “If it was a problem with the portal software or some underlying system or middleware application configuration or patching, there are some basic things that everyone should look to do when they have interactive systems, especially portals, on the internet,” he says.
Those steps include understanding the requirements of the system or application and reviewing and then implementing security controls that need to be in place based on the “risk of the system or application” and the type of data involved.