If you’re in the healthcare industry, you know that everything you do regarding ePHI (electronic protected health information) begins and ends with HIPAA compliance. HIPAA requires the implementation of many security protocols to ensure the confidentiality, integrity, and availability of ePHI. While HIPAA rules do not specifically require penetration testing, it’s a foundational security component. In this post, we’ll define HIPAA penetration testing, its benefits, and how it can differ from standard ones.
What Is HIPAA Penetration Testing?
Penetration testing describes simulated cyberattacks. A third party you engage will carry this out to identify vulnerabilities in your network that cybercriminals can exploit. With a HIPAA penetration test, the focus of the simulation aligns with the HIPAA Security Rule, the HIPAA Privacy Rule, and the Breach Notification Rule. This type of ethical hacking can test your networks, applications, and additional security components.
How Are HIPAA Penetration Tests Different from Standard Ones?
Conducting a HIPAA penetration test involves most of the same elements. The key differences relate to ePHI. The purpose of such a test for a healthcare entity is to determine where weaknesses exist in terms of breaching ePHI. The test parameters should include the guidelines in the rules noted above. Here’s some more information on each.
Pen Testing and the HIPAA Security Rule
The HIPAA Security Rule defines practices around the confidentiality, accessibility, and integrity of PHI. Again, the rule doesn’t state you need to perform pen testing, but it does require the development of risk management capabilities, which typically include a HIPAA security risk analysis.
Relating to this analysis, HHS (Health and Human Services) OCR (Office for Civil Rights), whose duty is to enforce HIPAA, provides five major points you’ll need to consider and can support your healthcare pen test.
- You need to assess all risks and vulnerabilities regarding the confidentiality, integrity, and availability of ePHI.
- Your organization must regularly review how they are complying with HIPAA.
- You must identify how you create, receive, maintain, and transmit ePHI.
- Your business must determine how vendors and third parties with access to ePHI can create, receive, maintain, and transmit ePHI.
- You will need to define all threats relating to data security. It should involve risk in three categories: human (internal and external), natural (hurricanes, flooding, earthquakes, etc.), and environmental (physical and cyber).
These guidelines, along with administrative, physical, and technical safeguards from the HIPAA Security Rule, closely align with what you can discover with a pen test.
Pen Testing and the HIPAA Privacy Rule
The HIPAA Privacy Rule sets standards for protecting PHI. The rule focuses on data privacy and documenting how you can use and disclose such data. Its association with pen testing would be anything you can identify that compromises privacy. It’s not simply about determining if someone can breach your system and steal data. A pen test may find irregularities in your internal processes that might impact privacy.
Pen Testing and the Breach Notification Rule
This segment of HIPAA is what happens should a breach occur. It discusses all the types of notices you must facilitate. You should have a policy on how you’ll handle breach notifications. While this rule doesn’t relate to data security protocols and vulnerabilities assessed in a pen test, it can be part of your simulation. When you receive your pen test analysis and identify a breach that could have occurred, you could role-play how you’ll launch notifications to test out the accuracy of your procedures.
Beyond the rules, there are some other differences in a HIPAA pen test:
- HHS specifies 18 identifiers that change general healthcare information to PHI. Testers should understand these.
- Data may be anonymized or de-identified but still should be part of the pen test.
- Unique technology applications have special security considerations because of how they use or embed data.
- Testers should be familiar with the FHIR API used in many healthcare applications. Checking these implementations is critical to ensure random access to PHI.
Designing Your HIPAA Pen Tests: Access, Testing Methods, and Types
When deciding to engage in pen testing to ensure you’re compliant, you have many options in frameworks related to access levels, methods, and types.
First, you’ll determine the level of access you’ll give the testers. There are three levels:
- Black Box Penetration Testing, also known as Opaque Box: In this scenario, the hackers have no information about your organization’s systems or internal structure. This option gives you a real-world view of how a cybercriminal would seek to breach your network.
- Gray Box Penetration Testing, also known as Semi-Opaque Box: In this situation, testers know something about your systems and network. They may also have credentials, and the test could involve specific test cases like an attempt to breach ePHI in an application.
- White Box Penetration Testing, also known as Transparent Box: In this setting, testers have access to systems, artifacts, and possibly servers. White Box can simulate what an internal attack could look like.
In addition to access levels, there are different pen testing methods. Here’s how they could play out in the context of HIPAA.
- External testing: A tester targets visible assets of your organization — web apps, websites, email, domain name servers, etc. The goal is to use these assets to gain access to your network and extract ePHI.
- Internal testing: A tester enters the network behind the firewall to depict the consequences of human error or stolen credentials through phishing.
- Blind testing: A tester knows only your business name and, from there, begins a quest to find weaknesses. It’s a good option if you want a real-time view of application assaults.
- Double-blind testing: Your internal security team is unaware that pen testing is occurring. They would then respond immediately to the threat, believing it to be legitimate.
- Targeted testing: Testers and your technical staff collaborate to simulate and react to an attack.
Pen Test Types
Next, you’ll consider what part of your IT infrastructure to test. In terms of HIPAA pen tests, you’ll want to test the following:
- Web applications: How secure are the apps you use every day to manage, handle, transmit, and store ePHI?
- Network security: How secure are your routers, switches, and network hosts? Are all these things configured correctly?
- Cloud security: If you use the cloud, which you probably do, how secure is your cloud, and are there weaknesses present?
Getting the Most Value from HIPAA Penetration Testing
In putting together your HIPAA penetration test, you’ll make the appropriate decisions in designing it. Beyond these components, what will make your pen test the most valuable to securing your organization?
- Set goals for your pen test: Determine what you believe the pen test will uncover. You should also look back to previous tests, if applicable, to confirm if the corrective action was successful.
- Work with a pen testing firm with healthcare expertise: Pen testing is a commodity in the IT market. Many people can conduct them, but you should seek out an organization specializing in healthcare pen tests. Healthcare is unique, and you need a partner that understands all this.
- Opt for multiple testing formats: In discerning your compliance with HIPAA and potential weaknesses, you’ll need your testers to conduct different types and use many methods.
- Define the scope of your test: Every pen test is different, as it should be. Your healthcare data environment is distinctly your own, consisting of many components. Part of this scope is selecting the types and methods. The other part is talking about testing ranges, comprehensive approaches, and scenarios vital to the security of ePHI.
- Document the Rules of Engagement (ROE) with your provider: An ROE sets expectations and identifies stakeholders and factors such as testing timeframes, project targets, and any known limitations. Such a document will assign responsibilities and obligations.
- Make a plan for what to do with the report: At the end of the pen test, you’ll receive a full report that defines the existing vulnerabilities, if ePHI was breached and how, and how long a tester was able to remain inside your network without detection. Once you review the report, you’ll need to begin a remediation plan to address these issues. If the list is long, prioritize what to do first. Your pen test provider may also provide best practices and strategies to rectify weaknesses.
- Plan your next test: Pen testing isn’t a one-time exercise. You’ll need to conduct them at least annually, if not more often. Certain things can trigger the need to retest, including adding network infrastructure or applications, applying security patches, upgrading infrastructure or applications, modifying end-user policies, or establishing new locations.
Do You Need a HIPAA Penetration Test?
If you operate under HIPAA, you should consider pen testing as a regular part of your cybersecurity practices. Although you don’t need one to be compliant, you’ll improve your defense posture and be less likely to experience a breach.