The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has helped healthcare providers protect patients’ information for over 20 years. However, over the years, the number and complexity of cyber threats have grown exponentially. Many companies turn to HIPAA penetration testing to protect their stakeholders and outpace cybercriminals who view healthcare providers as lucrative targets.
Let’s take a close look at what comprises healthcare penetration testing and how it can keep your business safe.
Healthcare Penetration Testing for HIPAA Compliance
The US Department of Health and Human Services (HHS) presides over the HIPAA framework. The HHS collaborates with cybersecurity experts and government agencies to develop requirements that protect healthcare companies, their partner companies, and their patients.
Penetration testing is a method that tests the strength of these requirements, making it an essential element of HIPAA compliance (though it’s not a HIPAA requirement). Below, we’ll walk through everything you need to know on the subject, providing:
- A detailed overview of HIPAA requirements related to penetration testing
- A comprehensive guide to the conventional forms of penetration testing
- A cohesive synthesis of how penetration testing facilitates compliance
By the end of this blog, you’ll know healthcare penetration testing inside and out. But first, let’s address a pressing question: why isn’t pen-testing a requirement of HIPAA compliance?
Penetration Testing: Not Required for HIPAA
Penetration testing is not a named requirement in the HIPAA framework. It would be possible for a company to reach complete HIPAA and HITECH compliance without conducting a single pen-test. However, pen-testing enables some of the most profound and most proactive risk analyses. Companies will have a much easier time complying with HIPAA’s strenuous Privacy and Security Rule protections by leveraging pen-test services.
Since as early as 2008, the National Institute for Standards and Technology (NIST) has recommended penetration testing to satisfy HIPAA’s requirements. Special Publication (SP) 800-66, which guides HIPAA implementation, names penetration testing as a critical measure toward achieving HIPAA Security Rule protections.
Why is healthcare penetration testing so essential? HIPAA doesn’t officially require it, but HIPAA’s efficacy depends upon it heavily.
HIPAA Compliance 101
The HHS first implemented HIPAA to protect the privacy and security of protected health information (PHI). It would later build upon these protections with the HITECH Act, which raised the stakes of enforcement and added a new Breach Notification Rule. But the key areas pen-testing applies to are the original Privacy Rule and Security Rule, detailed below.
HIPAA’s privacy and security protections apply to all of the following covered entities:
- Healthcare providers – Private practices such as doctors, dentists, and psychologists; facilities such as hospitals, nursing homes, and pharmacies; medical employees
- Health insurance plans – Health insurance companies and private companies that distribute health plans; governmental programs such as Medicare, Medicaid, etc.
- Healthcare clearinghouses – Entities that translate non-standard health information to standard formats, including certain service providers, digital platforms, etc.
Additionally, business associates of these parties must also implement HIPAA protections. All parties are responsible for each others’ non-compliance through business associate contracts. In practice, this means penetration testing is a robust business strategy for all parties involved.
Privacy Rule Requirements
The Privacy Rule is the core of HIPAA protections. It was the first finalized rule (in 2000) and established PHI’s initial definitions and the covered entities mentioned above. The Privacy rule also defined initial parameters of Enforcement, which would then become its own rule.
According to the HHS’s Privacy Rule summary, it comprises the following requirements:
- Restricting unauthorized use and disclosure – Covered entities cannot allow access to PHI unless the specific individual’s request for access meets one of the following criteria:
- Disclosure by or for treatment payment or operations
- Disclosure of the individual’s PHI is agreed to by the individual
- Exposure or use incidental to authorized disclosures or uses
- Disclosure or use in the public interest or for public benefit
- Disclosure of a limited data set for approved research
- Limiting authorized uses and disclosures – All use of PHI, except for requests by the individual or governmental agencies, must be limited to the minimum necessary principle
Covered entities can leverage pen-testing to identify unauthorized uses and their risk factors. Pen tests can also help determine if authorized access meets the minimum necessary principle.
Security Rule Requirements
The Security Rule builds on Privacy rule protections, extending them to the realm of electronic PHI (ePHI). Its first form surfaced in 2003 to ensure the confidentiality, integrity, and availability of ePHI through risk analysis and three categories of safeguards.
According to the HHS’s Security Rule summary, it comprises the following requirements:
- Administrative Safeguards – Focused on top-level controls for the whole company:
- Security process management focused on analysis and mitigation of risks
- Security personnel management and designation of critical responsibilities
- Access and identity management, utilizing the minimum necessary principle
- Workforce training and development of a workplace culture of awareness
- Evaluation and assessment of security policies’ and practices’ effectiveness
- Physical Safeguards – Focused on controlling access to devices and areas:
- Control of access to and use of facilities through proper authorization
- Monitoring and control of workstations and devices connected to ePHI
- Technical Safeguards – Focused on technological specifications and settings:
- Control over remote access to systems containing ePHI
- Regular auditing, logging, and analysis of logs to correct security flaws
- Control over proper maintenance, alteration, and destruction of ePHI
- Control and restriction of access to ePHI via public network transmissions
Across these protections, penetration testing is directly applicable to the evaluation specifications under the Administrative Safeguards. However, pen-tests are also apt for identifying and correcting all confidentiality, integrity, and availability ePHI threats.
Penetration Testing 101
Often referred to as “ethical hacking,” penetration testing involves simulating an attack on your company to study the behavior of the “attacker.” This technique is uniquely apt for addressing HIPAA requirements by unveiling weaknesses and preparing all personnel for an actual attack.
NIST’s SP 800-115: Technical Guide to Information Security Testing and Assessment provides a framework for penetration testing for many situations. It comprises four primary stages:
- Planning – The contracted hacker and the target company negotiate expectations and boundaries for the simulated attack, including special focuses and off-limits data
- Discovering – The hacker scans, inventories, and analyzes the target company’s security infrastructure, including its relative strengths and weaknesses
- Attacking – The hacker launches the attack on the company, seeking to infiltrate a specific target or take control of the whole system as efficiently and covertly as possible
- Reporting – The hacker finishes the attack and “exits” the company’s systems undetected, then reports back on their findings to facilitate corrective action
There are two primary forms of pen-tests: external and internal. Each offers different insights into how a hacker would compromise your defenses and seize your PHI (or other valuable information). Let’s take a close look at each, starting with external pen-testing.
External Penetration Testing
Sometimes referred to as “black hat testing” or “black box testing,” external penetration testing is the most basic and comprehensive way to study an attack “from scratch.” The pen-testing team of ethical hackers is given no inside information (or very little information) to simulate all elements of a potential attack. Typically, an external pen-test goal is to track the exact entry points through which the hacker gains access to the “inside” of your system. These weaknesses are then corrected in collaboration with the hacker team to close all unguarded entry points.
External pen-tests are often conducted from vantage points outside of your company’s premises. Remote attackers begin by identifying weak points in your cloud architecture, wireless networks, and web applications. Simultaneously, they may also engage in social engineering schemes such as general phishing or targeted “spear” phishing campaigns. In some cases, the attack ends once the hacker is spotted. In others, it only ends when the hacker is stopped.
Concerning HIPAA requirements detailed above, external pen-testing is especially beneficial for business associates seeking general awareness of vulnerabilities impacting their ePHI.
Internal Penetration Testing
Also commonly known as “white hat testing” or “white box testing,” internal penetration testing is a more targeted form of ethical hacking. It involves simulating an attack directed by a person with privileged knowledge of the company’s cybersecurity architecture.
An internal pen test’s planning stage is often much more involved than an external pen test. It includes negotiating what precisely the attacker has access to, such as:
- Physical access to a computer or smart device connected to private servers
- User account credentials, current or old, with privileged status and access
- Enough knowledge of private network details to override safeguards
Since the hacker already begins “inside” the company’s systems, in one way or another, the goal of an internal pen-test is not to study how they infiltrate barriers. Instead, the analysis focuses on exactly how the hacker behaves once inside, how quickly they seize control of the whole system, or how they approach targeting a specific protected dataset (ePHI).
Like external pen-testing, internal pen-tests are extremely valuable for the business associates of covered entities. Pen-tests are also one of the best tools to analyze the largest and most complex stashes of ePHI, such as those presided over by healthcare providers themselves.
HIPAA Penetration Testing 101
Many companies utilize a hybrid “grey hat testing” or “grey box testing” approach to optimize penetration testing for covered entities and business associates. For example, RSI Security’s pen testing services include external and internal pen-testing elements applied to all areas of a company’s cybersecurity infrastructure. Some individual tests we offer include:
- Firewall penetration testing for your company’s outermost web filtering layers
- Network security penetration testing focused on wireless networking devices
- Cloud computing penetration testing for AWS and other shared servers
- Web application, mobile application, and mobile device penetration testing
All of our pen testing services are highly customizable. We’ll tailor our simulated attack, report, and analysis to your compliance and general cyberdefense needs. This includes mapping onto HIPAA-specific requirements and any other regulatory frameworks.
Comprehensive HIPAA Advisory
As powerful a tool as penetration testing is and as apt as it can be in facilitating full HIPAA implementation and compliance, it’s far from the only cybersecurity service you’ll need. For more comprehensive coverage, RSI Security offers a suite of HIPAA compliance services. We’ll work with internal IT personnel to plan your cybersecurity architecture from scratch. We can also analyze your existing measures and generate a patch report on your architecture gaps (and how to fix them).
Wherever you are in your journey toward complete HIPAA and HITECH compliance, we are happy to help get you to the next stage. And penetration testing is just one part of that holistic process. See our HIPAA services datasheet for more information on our compliance package.
Professional Risk Analysis and Compliance
RSI Security’s HIPAA package is just one part of our comprehensive suite of compliance services. We know just how essential HIPAA compliance is for covered entities and business associates. We also know many of these impacted companies work within multiple industries, many of which require their own regulatory contexts: from PCI-DSS to CMMC to HITRUST and beyond.
That’s why HIPAA penetration testing and compliance are just two of the many managed IT and security services we offer. Our team of experts has helped businesses of all sizes bolster their cybersecurity for over a decade. To see just how powerful your cyberdefenses can be beyond compliance requirements, contact RSI Security today!
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.