Find Out How Bugcrowd Helps Redox Secure Its Distributed Systems & Patient Data

Security at Redox

Redox is a leading full-service integration platform that accelerates the development and distribution of healthcare software solutions to securely and efficiently exchange data. The Redox Platform exists to make healthcare data useful and every patient experience a little bit better. Redox works with more than 450 healthcare providers and hundreds of application developers. The company works with digital health companies, ranging from large integrated health systems and academic medical centers like Geisinger and Cleveland Clinic to fast-growing startups like Glooko and American Well.ar.

Many in the healthcare industry are keenly aware of the growing cybersecurity threats; however, understanding how to secure healthcare information systems effectively is a complex challenge that security leaders struggle with. Redox needed a solution to ensure the sensitive patient data flowing through its platform was protected and the company’s security practices comply with both government regulations and customer requirements.

Redox launched a private Bug Bounty with Bugcrowd, with the goal to take the program public within the same year. The company did just that — publicly incentivizing the hacker, pentester, and security researcher community to contribute highly critical vulnerability submissions to its crowdsourced security program.

Cybersecurity & Healthcare

In Healthcare, PHI (Personal Health Information) security is critically important, not just from a confidentially standpoint (an item of PHI is valued at over 100 times that of a credit card number on the black market), but from an integrity standpoint. Manipulating this data in flight or at rest can have severe implications to real patients. This creates a strong security culture in the industry, but it also causes us to be highly regulated – making advancements in technology, even security, more challenging.

Today, attack surfaces are growing with increased technology adoption and more data and infrastructure in healthcare. IT systems, connected medical devices, digital health applications, electronic patient records – the list goes on. Standards like ISO / IEC 800001 and the NIST Cybersecurity Framework are pushing healthcare IT to make change. As healthcare continues to move into the digital age, effective cybersecurity measures are crucial for operational resiliency. Each new healthcare technology offers immense value to patients but also brings unique cybersecurity risks.

Redox takes a layered approach to application security testing, including pen testing, vulnerability scanning, code reviews, and threat modeling. But knowing the expanding attack surface and active adversaries, Redox was not content with the status quo, taking it one step further with crowdsourced security.

Redox launched its private bug bounty with Bugcrowd in July 2018. Private bug bounty programs allow organizations to harness the power of the Elite Crowd – diversity of skills and perspective at scale – in a more controlled environment. At Bugcrowd, only those hackers who have a proven track record, those who have proven their skill and trustworthiness receive invitations to private programs. Private programs can be scoped or built around a customer’s testing needs and parameters. A private program can also meet requirements around background checking, ID verification or even location.

This approach proved very successful and allowed the company to increase the scope of the program over time. After running a wider scope private program for a few months, Redox took the program public in 2019.

Taking Redox’s program public has increased scrutiny the application gets to ensure security issues are detected earlier and more consistently, as the targets are exposed to new, fresh individuals with an even bigger array of skill sets, perspectives and abilities; as well as increased awareness of its security maturity among its customers.

Working with Bugcrowd: Measuring Results

Over the course of both the private and public programs, Redox has been able to maintain strong engagement across targets. This program is just one part of Redox’s overall product and application security program supporting this process helps Redox identify potential vulnerabilities sooner and reduces the risk of patient data being inappropriately accessed or exposed.

Healthcare cybersecurity is a serious undertaking. Attacks can compromise not only networks and data, but also threaten those applications and services supporting critical patient care systems. It’s important to consider a defense-in-depth approach to cybersecurity and employ crowdsourced security to level the playing field.

Bugcrowd enables healthcare professionals to assess the risk associated with disparate data sources and infrastructure so patients don’t have to worry about data privacy. Additionally, with our comprehensive methodology, coverage analysis and reporting, Bugcrowd ensures the administrative, physical and technical safeguards are in place to comply with HIPAA.