Melbourne-based not-for-profit DPV Health has replaced its annual penetration tests with bimonthly automated attack simulations, aiming to strengthen its vulnerability management through more frequent and proactive threat assessments.
The community health and support organisation has implemented a breach and attack simulation (BAS) tool that enables it to conduct tests using various methodologies, including black box testing, grey box testing, and targeted attack scenarios.
Former chief information officer of DPV Health, Noel Toal, told the iTnews Podcast that he began exploring BAS after becoming disenchanted with traditional annual tests conducted by an external organisation.
“[With] traditional penetration testing, depending on your organisation size, many people do it once a year,” Toal said.
“You tick the box to say you’ve done it, and the very next day, you could get breached because there are new things that have come out that mean you’re now vulnerable.
“What we wanted to do is continually validate throughout the year that what we’ve got in place works.”
Since piloting BAS tools and adopting a full solution last year, the results have been “powerful,” Toal said.
“It works really well and taught us a lot,” he said. “And an interesting side effect is that instead of sending your people off to learn about the latest attack methods through courses, they actually learn through the tool.
“The tool tries to rip you apart; it’s ruthless and relentless.”
Although Toal concurred there is “great value” in one-on-one manual testing, he said the continuous simulations have played a significant role in boosting the cyber team’s skills and motivation.
“It’s a game – you gamify it because you get a score,” he said. “Your team is motivated to beat it, and it really uplifts your quality completely in cyber security.”
Uncovering mistakes
DPV’s focus on vulnerability management reflects the heightened cyber security risks facing the wider healthcare sector.
Indeed, the sector annually tops the Office of the Australian Information Commissioner‘s (OAIC) breach rankings.
Under Toal’s leadership, this elevated risk drove the NFP to move beyond traditional box-ticking exercises typical of standard cyber compliance and audit activities.
“We’re trying to get to the crux of where the weaknesses are,” he said. “And we know people are a weakness… we’re always going to make mistakes. How do we get better at realising when we’ve made a mistake?”
For example, Toal explained, an API that appears secure during an audit may, in fact, be an open door for attackers.
As such, the team is “trying to free up time and capacity” to proactively investigate potential vulnerabilities, aided by BAS tooling, alongside increased threat hunting efforts.
“We do it,” he said. “But we could do more of it, and we’d like to do more of it.”
Multiple AI uses cases
Outside of cyber security, Toal said DPV Health had also begun exploring the use of artificial intelligence to support clinical operations and aid technology development.
Before joining resource recovery firm Repurpose It as chief technology and transformation officer in May of this year – his current role, Toal was responsible for overseeing DPV’s implementation of Dynamics 365 as its new CRM, using AI to test and refine its development.
According to Toal, this significantly improved the project’s time to delivery.
In addition to using Microsoft Copilot, DPV is also exploring the use of AI to assist clinicians with note-taking during patient consultations, as well as sentiment analysis capabilities integrated into the organisation’s cloud-based contact centre.
“You wouldn’t rely on it completely, but it gives you a really good starting point,” Toal added. “We’re just doing it in multiple, different ways, [but] more clinical use will come later because I think we’d need a lot more assurance that it’s not going to make a mistake.”
“We’re waiting for that to develop, and we’re waiting for the guidance on that from the government to change. And then that’ll come more into play for us.”
