Pentesting, or penetration testing, is not specifically required for HIPAA compliance. However, that does not mean healthcare organizations should not utilize pentesting to assess cyber defenses. Pentesting is an innovative, offensive approach to cybersecurity and safeguarding protected health information (PHI).
Penetration testing lets organizations identify high and low risks, assess operational impacts, measure defensive controls, and meet compliance requirements such as HIPAA.
Related: HIPAA compliant email: The definitive guide
Penetration testing is a security technique used to examine cyber vulnerabilities or flaws. Organizations hire cybersecurity experts to hack or penetrate their defenses to find holes to secure. These experts are often called 'ethical hackers' since they simulate cyberattacks to probe for weak threat vectors and access points.
Essentially, there are five types of pentests:
There is also something called hybrid (or 'gray box' or 'gray hat') pentesting that uses a combination of internal and external tests. The type of pentest depends on what an organization needs to check and secure and where the information is located. A great example is PHI stored on a cloud.
HIPAA and its amendments require healthcare practitioners to continuously safeguard PHI. In fact, the HIPAA Security Rule establishes the conditions for such protections. Covered entities and business associates must:
The Security Rule asks healthcare professionals to implement layers of administrative, technical, and physical safeguards. Technical safeguards focus on cybersecurity, while physical safeguards concentrate on facilities. Administrative safeguards focus on effective policies, procedures, and practices that guarantee the security of all systems and the PHI within.
There are several aspects of administrative safeguards to explore but one central part concerns evaluation. Healthcare organizations must conduct regular evaluations or risk assessments to review policies and how they are implemented. Risk assessments can analyze storage, information flow, technology systems, and physical security features, among other aspects of cybersecurity.
The idea is to assess, modify, and monitor risks to effectively protect PHI and avoid HIPAA violations and fines.
Learn more: The 12 steps to HIPAA compliance
Two significant methods of a proper risk assessment are vulnerability scans and pentesting. While not required by HIPAA, industry experts, and standard organizations agree that pentesting secures HIPAA compliance. For example, the National Institute of Standards and Technology (NIST) provides a penetration testing framework to help confirm secure systems.
Healthcare organizations typically use NIST guidance to develop and maintain cybersecurity under the HIPAA Security Rule. According to NIST, pentesting scrutinizes a healthcare organization's security system for incompliant features. HIPAA compliant pentesting acts as a check and balance for other utilized security features.
Covered entities and business associates can use pentesting to investigate security for:
While not required, if pentesting can prevent a breach and HIPAA violation, it is worth it in the long run. HIPAA violations may even result in costly civil and criminal penalties. Therefore, a proactive approach like pentesting reduces the likelihood of HIPAA penalties and ensures the protection of patients' PHI.
Maintaining the security of patients' PHI is critical to guaranteeing HIPAA compliance. Here are some general steps to an effective penetration test. The details of each step depend on who is hired, what they are testing, and the desired outcome.
Once updated, the system should be scanned again and rescanned annually for the same or other weak spots.
Healthcare continues to be the most targeted industry for cyberattacks. Given this, pentesting, while not required by HIPAA, is needed to strengthen the security around PHI. Pentesting analyzes the ability of an organization to defend against accidental and intentional cyberattacks.
When it comes to avoiding cyberattacks, healthcare organizations must be proactive. Preventative and offensive security measures, such as pentesting, are important to expose and patch vulnerabilities. Moreover, penetration tests help fulfill the Security Rule's administrative safeguards, keeping healthcare organizations HIPAA compliant and the focus on their patients.