Does HIPAA Require Penetration Testing?

Blue Goat Cyber HIPAA Penetration Testing

For healthcare organizations, HIPAA impacts numerous areas of operations and technology related to PHI (protected health information). Within HIPAA, there are rules and guidelines regarding this data’s privacy, confidentiality, and security. As a result, the healthcare industry must have protocols and practices to ensure compliance, including risk assessments. A penetration test is an excellent way to validate security practices’ performance. So, does HIPAA require penetration testing?

The short answer is that the HIPAA Security Rule doesn’t explicitly call for pen tests. However, HIPAA Evaluation Standard § 164.308(a)(8) does apply to penetration testing: “A covered entity or business associate is required to perform a periodic technical and nontechnical evaluation.”

A technical evaluation is typically defined as performing a penetration test.

Additionally, NIST 800-66 for HIPAA states:

“Conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.”

Penetration testing can be a foundational cybersecurity component that supports compliance with the law, proves due diligence, and prevents data breaches.

Let’s explore penetration testing and why your organization should conduct HIPAA penetration testing.

What Is a Penetration Test?

penetration test is a simulated cyberattack carried out by ethical (white hat) hackers. You’ll engage a pen testing firm to conduct this exercise. The objective is to identify known and unknown vulnerabilities in your environment before cybercriminals do. A pen test can assess your networks, applications, and other security elements.

For healthcare, a pen test enables alignment with the HIPAA Security Rule, the HIPAA Privacy Rule, and the Breach Notification Rule. The key way a HIPAA pen test differs from one for other industries is the focus on ePHI (electronic Protected Health Information).

Let’s review how it does this.

HIPAA Doesn’t Mandate Pen Testing, But It Helps with Compliance and Proves Due Diligence

The HIPAA Security Rule, HIPAA Privacy Rule, and Breach Notification Rule present guidelines, recommendations, and best practices regarding patient information use, transfer, collection, storage, and protection. While pen tests aren’t explicitly part of these rules, they help with compliance and can be used to prove due diligence.

There are also some specific sections that you can ensure adherence to with pen tests, including:

  • Evaluation: (§ 164.308(a)(8)51 states the need for “period technical and non-technical evaluation” methods. NIST (National Institute of Standards and Technology) HIPAA guidance recommends pen testing to meet the evaluation criteria.
  • Information Access Management: (§ 164.308(a)(4)27 mentions the need to assess “security measures related to access control” and verify how effective your authentication processes are in preventing unauthorized access to PHI and other assets containing protected information. Pen testers will try to do just that in the simulation so that the engagement can deliver insight into this.

These are particular areas of HIPAA that pen testing supports. So, how does a HIPAA pen test help with the three central rules?

How Pen Testing Supports the HIPAA Security Rule

The HIPAA Security Rule states that healthcare organizations and their partners must ensure PHI is confidential, accessible, and secure. Within this rule, you’ll find the guidelines for developing risk management capabilities through a HIPAA security risk analysis.

HHS (Health and Human Services) OCR (Office for Civil Rights), the agency that enforces HIPAA, presents five points to consider:

  • Assessment of all risks and vulnerabilities related to ePHI’s confidentiality, integrity, and availability
  • Requirements to ensure regular reviews of HIPAA compliance
  • Identification of how you create, maintain, receive, and transmit ePHI
  • Determination of how third parties, partners, and vendors with access to ePHI will create, receive, maintain, and transmit ePHI
  • Definitions for all data security threats related to risk in three categories: human (internal and external), natural (disaster events like hurricanes or tornadoes), and environmental (physical and cyber)

These rules can align with a penetration test and validate your efforts to meet its requirements.

How Pen Testing Improves Compliance with the HIPAA Privacy Rule

The HIPAA Privacy Rule defines standards for protecting PHI. Its focus is data privacy and the steps you take when using or disclosing it. Pen testing can be an excellent tactic to demonstrate compliance with the HIPAA Privacy Rule. The test can identify issues that could lead to a data breach. Knowing about these cybersecurity weaknesses before a breach happens gives you a better opportunity to avoid the data breach with remediation efforts disclosed in the pen test report.

How Pen Testing Can Maintain Compliance with the Breach Notification Rule

This area of HIPAA details what should happen if a breach occurs, including the notifications you must send. Having a policy on this is part of your incident response plan. A pen test helps because you can emulate what might lead to a breach, so you test the parameters of your strategy. It offers the opportunity to have simulated real-life incidents that you can then charge your cyber team with role-playing through it.

More Ways Pen Tests Are Great for HIPAA Compliance

HIPAA doesn’t define any specifics around cybersecurity, like pen tests. However, it does include lots of language about being proactive in the need to secure patient data. Some other aspects of the law have implications for pen tests.

  • There are 18 identifiers that transform general healthcare data into PHI. A pen test can ensure that when data changes, it’s now part of the PHI security protocols.
  • Healthcare organizations often use unique applications that access, use, or store PHI. Some of these have specific considerations, and a pen test can check the security of these applications.
  • The FHIR API, often referred to as HL7, is a common connector between systems, facilitating access and exchanges. Pen testing can evaluate that these connections are working correctly and not inadvertently providing random access to PHI.

Even though HIPAA doesn’t explicitly require a pen test, they are still a best practice. Healthcare is a favorite target for hackers. In 2022, healthcare organizations experienced 1,463 cyberattacks per week, an increase of 74% from 2021. Unfortunately, many were successful, with millions of PHI profiles compromised. In 2022, a data breach of health information affected almost 50 million Americans.

Ransomware attacks are also rising in healthcare. According to a report from the FBI, the sector topped the list in the U.S. in 2022. One positive note is that the numbers were lower than in 2021, but the cost of these increased from $6.9 billion in 2021 to $10.2 billion in 2022.

Cybercriminals also leverage healthcare’s use of connected medical devices and IoT (Internet of Things) to find a way to deploy the ransomware into the network.

Thus, your healthcare cybersecurity program must be flexible, proactive, and continuously improving to deal with today’s threat landscape. A pen test is another tool to prevent breaches and ransomware.

Thus, you’ll want to begin planning a pen test.

Planning Your Pen Test to Remain Compliant

There are a few things to consider before you launch a pen test with a provider — the access level, testing method, and test type.

Pen Test Access Levels

There are three access levels for pen tests. It pertains to what information the testers will have before they begin the project.

  • Black Box Penetration Testing: This is a scenario where ethical hackers have little to no information about your systems or internal structure. It’s the most realistic simulation of how an actual cybercriminal would look to exploit vulnerabilities.
  • Gray Box Penetration Testing: This approach gives testers basic knowledge of your systems and networks. It can also include providing credentials. These emulations usually align with test cases around breaching ePHI.
  • White Box Penetration Testing: This option offers the most access for testers. They may be able to enter systems and servers. They may also have artifacts. It’s an ideal way to simulate an internal attack.

Next, let’s review the pen testing methods.

Pen Testing Methods

There are also various pen testing methods to consider:

  • External testing: Ethical hackers would target your public-facing assets, including web apps, websites, email, or domain name servers. The objective is to manipulate these assets to gain entry into your network to extract ePHI.
  • Internal testing: The tester accesses the network behind the firewall. This method can illustrate what can happen when humans err or unknowingly have their credentials stolen through phishing attacks.
  • Blind testing: In this option, a tester has minimal context. They may only know the company name. From there, they simulate all the reconnaissance that an actual hacker would do to locate a weakness.
  • Double-blind testing: In this situation, your internal security team would be unaware that pen testing is occurring. As a result, they would respond to it as if it were a real attack.
  • Targeted testing: Ethical hackers and your cyber team would work together to mimic and respond to attacks.

Pen Testing Types

Another consideration for a pen test is what it will evaluate. There are three different types:

  • Web applications: It involves testing the apps used to manage, handle, transmit, and store ePHI.
  • Network security: It includes evaluating the security of and configurations for your routers, switches, and network hosts.
  • Cloud security: It assesses how secure your cloud usage is and what weaknesses may be present.

HIPAA Pen Testing: Make Them Part of Your Cybersecurity Plan

Pen testing can be a vital component of your cybersecurity efforts and initiatives. While HIPAA doesn’t require them, they can support compliance and ensure you identify and remediate risks sooner rather than later. Your next step is finding a provider. We’re experts in the space and deliver pen tests that meet compliance, security, and privacy goals.

Contact our team today to schedule a discovery session.

Blog Search

Social Media