Does HIPAA require penetration testing?
The Health Insurance Portability and Accountability Act (HIPAA) outlines the framework for protecting healthcare data. The HIPAA Security Rule, which protects a subset of information covered by the Privacy Rule, addresses the security policies that medical entities must have in place to ensure the confidentiality of electronic protected health information (e-PHI). While the Security Rule does not explicitly require annual penetration testing, it does require organizations to perform regular security risk assessments to determine whether their protocols adequately protect e-PHI.
The Security Rule applies to more than just healthcare organizations; health insurers, business associates, and any other service that involve the processing, transmission, and use of ePHI, are also covered.
HIPAA Risk Assessment
The Security Rule outlines the reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. This includes risk analysis and management.
The first step towards compliance, a HIPAA risk assessment, can help you measure the effectiveness of your security measures, and identify potential vulnerabilities that could lead to the exposure of e-PHI. HIPAA emphasizes that the risk analysis should be an ongoing process, especially when new systems and processes are introduced.
There are many ways to fulfill this requirement. A vulnerability management solution, and/or a penetration test would be the most common. In this article, we will be focusing on the penetration test route, although it should be noted that we do offer a solution that can help with vulnerability management.
HIPAA Penetration Testing
A penetration test can evaluate your networks, systems, and web applications to see where your security vulnerabilities exist, and how likely those vulnerabilities are to be exploited. Essentially, an ethical hacker will attempt multiple ways of gaining unauthorized access to your systems, to show how a threat actor might be able to exploit your organization’s security parameters.
In a classic penetration test (typically once a year), a well-defined testing scope is essential. This is where you’ll want to specify HIPAA obligations, as well as your testing objectives. As part of the preparation process, you will also need to gather and provide relevant information like the types of e-PHI your organization has, its locations, and how it is currently protected. You can use this opportunity to also incorporate additional HIPAA requirements into the testing scope. For example, the HIPAA Physical Safeguards section of the Security Rules can also be relevant, and reviewed, with the right pen testing services (red teaming).
In addition to the classic penetration test, there’s also pen testing as a service (PTaaS), automated pen tests conducted through a SaaS delivery model. This is especially helpful for agile healthcare organizations that manage web applications and need continuous and real-time vulnerability checks. Outpost24’s web application pen testing as a service solution combines automated scanning with high-quality manual testing to identify common software vulnerabilities and logical errors, in real-time for faster remediation. The solution can help ensure your organization’s ePHI cannot be exploited by malicious actors.
How can I make sure my organization is HIPAA compliant?
As organizations become more reliant on technology, the importance of protecting e-PHI grows. Healthcare data is highly valuable, and new systems, applications, and processes could mean additional attack vectors and vulnerabilities. Worryingly enough, our analysis of America’s top healthcare providers found that 90% of the web applications used by these organizations were susceptible to attack or vulnerability exposure.
Penetration testing should be an essential part of your arsenal of tools to maintain your organization’s digital resilience, and to maintain HIPAA compliance. Outpost24 can help your organization get compliant with HIPAA’s Security Rule with our penetration testing services, both classic, and PTaaS.