Penetration Testing for HIPAA Compliance

Back in the day, the most important concern for a healthcare organization was to provide the best quality of life for its patients and to promote health awareness. However, in this day and age, healthcare organizations also need to worry about protecting patient information.  Some of this is identifiable and sensitive — PHI or Protected Health Information.

Most healthcare organizations are well connected to the world wide web today, and they collect an immense amount of data about their patients. This data isn’t limited to just medical history. It also contains private information, such as names, addresses, social security numbers, and even bank account details.

All this is very tempting for hackers and cybercriminals. As a result, healthcare organizations need to make sure that their systems and networks are highly secure. Not only is it the right thing to do but it is also required by the government in the form of HIPAA regulations.

So, healthcare entities need to ensure that their networks are secured, cardholder data is protected, vulnerabilities are identified and managed, and robust access controls are implemented. The testing and monitoring of networks must be conducted on a periodic basis.

Speaking of monitoring and testing, HIPAA compliance involves technical and non-technical evaluations on a periodic (at least yearly) basis. These evaluations allow the organization to determine how secure their systems are.

Now, there are various forms of testing, such as vulnerability scanning, penetration testing, and a combination of both. In this blog, we are going to look at penetration testing and why it’s a major part of HIPAA compliance.

What is penetration testing?

Penetration testing involves simulating a cyber attack on the organization’s network and systems. The goal is to assess the strength of the network’s security and also the ability to detect and/or fend off the various strategies used by hackers to “penetrate” the security layer.

Other than that, a penetration test also aims to find out what kind of information a hacker could potentially steal once inside the system.

Penetration tests differ from vulnerability scans; they are far more specific. Penetration tests assess various aspects of data and system protection. Vulnerability scans, on the other hand, simply help discover vulnerabilities and out-of-date software.

Vulnerability scanning is quite effective, but not in the same way penetration testing is. Vulnerability scanning should be a continuous process; penetration a periodic one.  In fact, it’s a good idea to make both of these a mandatory part of a healthcare organization’s typical IT security practices.

Penetration testing is extremely useful because it offers details on what the exact vulnerabilities and which can actually be exploited, and what the scope of a potential breach could be.

Why your organization needs penetrating testing

According to HIPAA standard 164.308(a)(8), technical evaluations have to be carried out on a periodic basis. Including penetration testing as part of these technical evaluations is a wise idea. It is one of the most effective methods of testing security controls and ensuring their optimum functioning.

As stated earlier, penetration testing is effective because it digs deeply into your systems and applications. It goes one step further than vulnerability scanning and searches for security issues within the core environment. Now, there are two kinds of penetration tests.

First, we have the Internal Penetration Test, where the systems within the organizational network are tested. This allows testers to gain a perspective of things from within the network.

The other type of penetration test is the External Penetration Test, where the testing is done from an open public network, which exists outside of the organizational network. This provides testers with the hacker’s perspective of the network.

Who should do your penetration testing?

There are generally two options when it comes to who can carry out penetration testing for you. You can use someone in-house or outsource the task. If you’re going with the in-house option, ensure that they follow the appropriate testing methodology, such as OWASP Testing or NIST 800-115.  Also, ensure that they are informed about common vulnerabilities and the latest threats affecting the industry.

However, we suggest outsourcing your penetration testing. A third-party testing service can offer greater expertise and also, a fresh perspective on things.

What should penetration testers know?

Ideally, penetration testers should be updated on the following:

• Web front-end technologies, such as HTML or Javascript.
• Black hat attack methodologies, such as SQL Injection or remote access attacks.
• Web application programming languages, such as PHP or Python.
• External and internal testing, as discussed earlier.
• Network protocols, such as SSL, TCP/UDP and so on.
• Scripting languages, such as Perl and Python.
• Web APIs, such as SOAP, REST, and so on.
• Operating systems, such as Windows, Linux, Mac and so on.
• Network technologies, such as IDS, Firewalls and so on.
• Segmentation testing.

The frequency of penetration testing

Penetration testing should be carried out at least once a year and after significant network or application changes. With regard to the latter, make sure your organization has an objective definition for what constitutes a “significant change.”  For instance, penetration testing must be carried out when there has been a large-scale infrastructure change or software deployment. Such changes can open up new vulnerabilities.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us