It’s essential for businesses in the healthcare industry to integrate protections from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) into all elements of their practices. Critically, businesses need to strengthen their cyberdefenses against the ever-increasing cybercrime threats that can victimize protected health information (PHI). One sound, innovative approach to shoring up cybersecurity efforts is penetration testing.
To learn more about the HIPAA penetration testing requirements that help businesses stay compliant and secure, keep reading.
HIPAA Penetration Testing Requirements Explained
Penetration testing is not a named requirement for HIPAA compliance. However, given the unrivaled analytical insights it can provide, all healthcare and adjacent organizations should consider adopting a form of penetration testing to safeguard PHI and ensure compliance.
This guide will break down everything you need to know about it, including but not limited to:
- What penetration testing is and several approaches
- The HIPAA framework, its rules, and all its pertinent requirements
- How you can optimize penetration testing for HIPAA
By the end of this blog, you will know exactly what HIPAA requires with respect to penetration testing and related forms of analysis. You’ll also be well prepared to implement these and more.
Penetration Testing Explained: How it Keeps You Safe
Penetration tests are a form of “ethical hacking.” This term may seem like a contradiction, as hacking is almost always associated with cybercrime. However, in the right hands, hackers utilize offense to inform cyberdefense. The goal of a penetration test is to simulate an actual attack on your security systems. So, it should be as realistic as possible for the best possible insights.
The team you contract to “attack” your systems needs to leverage every attack vector available.
Critically, no two penetration tests are the same. The particular methods used by the attackers will depend on your company’s security infrastructure, the assets they target, and the contractual agreement you draw up with them, along with other factors. Nevertheless, most attacks fall into one of two categories, or a hybrid combination of the two. Let’s take a look.
External, Internal, and Hybrid Approaches to Pen-Testing
The biggest differences between penetration tests comprise the attacker’s position with respect to information about and access to your company’s security infrastructure. Nearly all penetration tests that are conducted fall into one of the following two categories:
- External – Also known as “black box” or “black hat,” these tests simulate an attack from a position entirely outside the company, physically and socially. The attacker begins with little to no knowledge of anything about the company, save for what’s publicly available. The goal is to study the hackers’ initial entry points into your systems to patch all gaps.
- Internal – Also known as “white box” or “white hat,” these tests simulate an attack from a position within the company, either physically or socially. The attacker literally begins inside your facilities or with prior knowledge of or access to security infrastructure. The goal is to study the hackers’ movements once inside to quarantine attacks as they occur.
In some cases, however, companies opt for a customized hybrid of the two:
- Hybrid – Also known as “gray box” or “gray hat,” these tests simulate some combination of the above, with a hacker or team of hackers that operate with privileged but limited positions. This type of testing is used to study the initial entry and what damage they can cause once inside.
Regardless of the penetration test type, the best for your company is one that helps you achieve compliance with all regulatory frameworks you need to follow, including HIPAA.
HIPAA Framework Explained: All Rules and Controls
Penetration testing is particularly helpful for businesses in the healthcare industry where the sensitive data harbored makes HIPAA compliance mandatory. This also applies to businesses adjacent to healthcare. The HIPAA covered entities list includes healthcare providers themselves, such as doctors’ private practices, hospitals, and pharmacies, along with health insurance plan providers, and healthcare clearinghouses.
What’s more, covered entities’ business associates also need to remain compliant, as their own violations can cause penalties for all parties involved. The Enforcement Rule details civil financial penalties of up to $50 thousand dollars for violations and criminal penalties of up to $250 thousand dollars and 10 years’ imprisonment for the most extreme negligence or profiteering.
HIPAA Privacy Rule Summary and Requirements
The Privacy Rule is the first and arguably most critical rule within the HIPAA framework. It defines PHI as a protected category and establishes the conditions under which it may be accessed. According to the HHS’s Privacy Rule Summary, it defines three primary functions:
- Permitted uses and disclosures – Use and disclosure of PHI is not allowed, unless:
- It is to, for, or directly requested by the subject of the PHI (or a representative).
- It is for the purpose of covered entities’ healthcare treatment or billing operations.
- It has been undertaken after the subject has had opportunity to approve or object.
- It is incidental to another, otherwise permitted, authorized, or required disclosure.
- It is undertaken in the broad interest of the public or for a public benefit project.
- It is of a limited data set or de-identified for the purpose of approved research.
- Authorized use and disclosure – The subject of PHI or a representative of the subject must authorize uses or disclosures of PHI outside those named above. When requested by the subject or law enforcement, disclosure may be required.
- Minimum necessary requirement – Permitted and authorized uses and disclosures of PHI must be limited to the minimum amount necessary to satisfy the request or use case.
Penetration testing is applicable to the Privacy Rule insofar as it can determine ways hackers might be able to inappropriately access PHI. But it’s even more critical for the Security Rule.
HIPAA Security Rule Summary and Requirements
The Security Rule builds on the Privacy Rule’s protections, expanding the scope. It exists to ensure the confidentiality, integrity, and availability of PHI. It also specifically requires that all covered entities establish a risk management capability, which requires some combination of penetration testing or vulnerability scanning (more on this below). The other primary controls required by the Security Rule, per the HHS’s Security Rule Summary, are the following:
- Administrative safeguards – Controls to be implemented at the management level:
- Security management processes, i.e. risk and vulnerability management
- Delegation of responsibilities across security management personnel
- Information access management, per “minimum necessary requirement”
- Management of robust workforce IT training and awareness programs
- Routine and special event evaluation of security practices and awareness
- Physical safeguards – Controls to be installed on and between physical endpoints:
- Control, monitoring, and restriction of access to facilities containing PHI
- Control, monitoring, and restriction of access to devices and workstations
- Technical safeguards – Controls to be installed across software and networks:
- Access control measures, including user profile and credential management
- Regular and special event audits, along with careful monitoring of audit logs
- Controls for PHI integrity, ensuring no unauthorized changes or deletions
- Transmission security controls for traffic of PHI over unsecured networks
This is the HIPAA rule that comes closest to requiring penetration testing outright. However, as we’ll detail further below, penetration testing is not strictly required by any HIPAA rule. Still, it’s one of the best ways to avoid non-compliance penalties for all rules, regardless of requirements.
HIPAA and HITECH Breach Notification Rule Protocols
The final prescriptive rule within the HIPAA framework is different from the other two in that it does not require preventive measures to stop attacks from happening. Instead, it specifies the protocols to follow if and when attacks do happen. The three forms of Breach Notification are:
- Individual notice – All parties impacted by a data breach must be notified within 60 days of discovery, by physical mail, email, or via notice on the covered entity’s website.
- Secretary notice – The HHS Secretary must be notified of a breach within 60 days of discovery if it impacts 500 or more people.
- Media notice – If a breach impacts more than 500 people within a defined location, media outlet(s) servicing that region must be notified within 60 days of discovery.
Penetration testing may not seem immediately applicable to this rule, but it can help to identify ways in which hackers conceal their attacks. Discovery of a breach is critical to mitigating its damage, recovering lost resources, and notifying all impacted parties in a timely manner.
HIPAA Security Testing Requirements Explained
As touched on above, there are no provisions within the HIPAA’s rules that specifically require covered entities to conduct penetration testing. The closest rule is the Security Rule, due to its requirement for a risk analysis and risk management capability. But this can also be achieved through a robust risk and vulnerability management program, independent of any simulated pen-tests. However, pen-testing is still a best practice for HIPAA compliance.
The National Institute of Standards and Technology (NIST), which is responsible for facilitating security across all industries in the US, published a guide to the HIPAA Security Rule in 2008 called the Special Publication (SP) 800-66. In it, NIST specifically recommends implementing penetration testing to validate security of potential vulnerabilities. For companies who want to assure stakeholders they’re taking every precaution, pen-testing is essential, above and beyond compliance needs.
Let’s take a close look at what a penetration test, optimized for HIPAA compliance, can comprise.
Optimizing Pen-Testing for HIPAA’s Privacy and Security Rules
Penetration testing almost always follows a similar order of operations. To optimize the formula for HIPAA compliance, we suggest approximating the following steps:
- Probing – The reconnaissance phase is where hackers gather initial intelligence to inform their strategies and ultimate attacks. For your HIPAA pen-test, this phase may focus on the particular types of PHI your company harbors, where, and their protections.
- Strategizing – Next, hackers will analyze the information gathered on PHI and barriers to access to start planning out how they’ll compromise it, including multi-layered attacks.
- Attacking – Maybe the most critical phase, this is where the hackers actually launch their attack(s). A HIPAA-focused pen-test should isolate and document the many ways in which the hackers’ attack patterns violate specific Privacy and Security Rule requirements.
- Withdrawing – After launching an attack and seizing control, the hackers will attempt to withdraw while still undetected, perhaps leaving behind trackers or other devices to facilitate re-entry at a later date. This phase is critical to Breach Notification Rule enforcement.
- Reporting – Finally, the attacking team will report on their exploits to your internal IT experts. The report should synthesize findings pertinent to the HIPAA rules and ideally identify measures your company can take to patch vulnerabilities the hackers exploited.
RSI Security offers a suite of penetration testing services tailored to your company’s needs, including but not limited to compliance. We can also focus on pen-testing for your networks and servers, cloud computing, or any other element of your IT infrastructure.
Professional Pen-Testing, Compliance, and Cybersecurity
RSI Security offers a robust suite of HIPAA compliance advisory services. We will work with your company to install all protections required of the Privacy and Security Rules, reducing the probability of an attack. Then, we’ll work with you to set up communication channels to satisfy the Breach Notification Rule. Once you’re ready, we’ll facilitate auditing and full certification.
We simplify HIPAA compliance through innovative pen-testing and other managed IT services.
To recap, there are technically no HIPAA penetration testing requirements to speak of — but pen-testing is still one of the best ways to ensure you’re meeting all the requirements of HIPAA’s rules.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.