Hi,
 
Iam new to all of this.  I work for a company that deals with a web hosted system that houses important medical record information.   We are looking to test the vulnerabilities of our system as it is fairly new.  How would we plan for this?  Not too sure where to start. Your input is greatly appreciated. 

Thanks Chris.  We are open to hiring a 3rd party.  However, we are also interested in softwares too.  Just trying to get a feel as to which direction is best.  The system has recently gone live so we are also looking at this as a ongoing security maintenance type thing...if that makes any sense.

A 3rd party test will only give you information current for that point in time that their test was done. It's very useful for initial remediation efforts but you will want some kind of ongoing scheduled scanning/testing solution in place. Whether a 3rd party MSSP provides this service or you do it internally is a business decision you have to make, but you should have some kind of ongoing vulnerability assessment process in place. I know you mentioned something along those lines so you are thinking in the right direction. The biggest challenge is vetting the capabilities of the 3rd party you use for your test. There are a lot of charlatans out there that will sell you a pen test when they are really just doing a vuln scan.

In my environment, I budget about 30k a year for external 3rd party pentests focused on my PCI environment, and spend about 25k (my salary hours focused on these activities + training costs + software expense) on in house conducted pen testing and then another 50k or so on software licensing and 5k or so on salary related expenses for ongoing vulnerability scanning but this scope includes my entire environment, not just a single app so YMMV. It really depends on your scope and complexity as to cost so we could give you a wide range of numbers that may be meaningless for you. You could also buy cheaper software than me, but I really like what I'm currently using and don't want (or plan) to give it up.

(Total cost for me = 110k)

Btw none of these numbers above include actual remediation. There's another group that handles that. I'm not even an admin on the systems I'm testing (by design - but my tools do have appropriate permissions for credentialled scanning) This is just assessment, and documentation of remediation plans and communication to management of the extended business risk from the discovered and verified vulnerabilities so they can make informed decisions and prioritize remediation tasks.

Hope that helps.

Also, these are the things that are of concern to us in regards to our system and the information
that resides on it.  Data scraping, Peer to peer file sharing, Secure email, Medical identity theft,
strength of data encryption, Security of downloaded reports, New developments in identity
verification, Wireless security as we think through our mobile strategy.

Haha, that is a great quote, and sadly very VERY true.