Menu
Penetration Testing to Support Compliance with the HIPAA Security Rule
1. Schedule a 30-minute Discovery Session
2. We determine IF and HOW we can help
3. We provide a Tailored Proposal
4. Together, we review the Proposal
Our HIPAA penetration test includes a Remediation Validation Test (RVT) to maximize your security.
Medical information is highly valuable – perhaps more profitable to hackers than credit card data. It often includes social security numbers, birth dates, insurance numbers, diagnosis codes, and billing information. Hackers can use this data to commit identity fraud and to secure false prescriptions. It is vital that medical institutions perform regular pen testing to assure themselves, their clients, and their regulatory agencies that data is safe from prying eyes.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is the US federal law that governs the privacy, safety, and electronic exchange of medical information. As part of remaining compliant with HIPAA, medical institutions must perform regular technological tests of their data security. What better way to test a system than to think like the person hacking it? That’s what our penetration test for HIPAA compliance tests.
Specifically, HIPAA Evaluation Standard § 164.308(a)(8) applies to penetration testing:
Essentially, the technical evaluation provides validation that the controls defined in the documentation are actually implemented effectively and working as described. The nontechnical evaluation assesses the plan on paper, whereas the technical evaluation assesses the plan’s implementation. An independent third party should perform the technical evaluation.
Additionally, NIST issued guidance (NIST 800-66) for HIPAA that states:
“Conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.”
Although HIPAA only recommends a penetration test be performed annually, we recommend a quarterly program that includes validation testing.
Contact us for a no-cost consultation on our HIPAA penetration testing services.
We ensure our testing covers the latest Open Web Application Security Project (OWASP) Top 10, along with the following standard vulnerabilities:
We follow a seven-phase methodology designed to maximize our efficiency, minimize risk, and provide complete and accurate results. The overarching seven phases of the methodology are:
It is better to have an ethical hacker find the holes in your healthcare environment than an adversary. Our HIPAA Penetration Testing Services provide details on exploitable vulnerabilities in a prioritized, tangible manner. Our report allows you to understand better what your environment looks like from an attacker’s perspective; what the “attack surface” looks like. This helps you prioritize efforts to mitigate risk to reduce data breach likelihood.
Not only do our HIPAA Penetration Testing Services show you what your attack surface looks like to an adversary, but they can also be used as a safe way to test your organization’s incident response capabilities. Our Penetration Testing services can also be used to tune and test your security controls, such as your IDS, Firewall, Web Application Firewall (WAF), Router Access Control Lists (ACLs), etc.
A vulnerability assessment identifies vulnerabilities and misconfigurations. It is less thorough than a penetration test. A penetration test looks at your environment from an attacker's perspective and leverages the tactics, techniques, and procedures used by attackers. A penetration test gives you a more accurate depiction of risk.
We understand that often the key objective of testing medical devices is to assist with FDA approval.
We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI.
The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.
