Although HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, the term also covers several later regulations. The most relevant to penetration testing is the HIPAA Security Rule that took effect in 2005. HIPAA applies to two groups (1):
- Covered entities (Healthcare providers & clearinghouses and health insurance plan operators)
- Business associates (Organizations hired by a covered entity to do work that involves personal health information, plus their subcontractors)
The HIPAA rules apply to personal health information. This covers 18 categories such as names, certificate numbers, and medical record numbers. In practice, it covers any information that you could use to link medical information to a specific person. (2) The HIPAA Security rule specifically covers personal health information in electronic form. It says you must:
- Keep it complete, confidential, and available.
- Protect against security breaches or damage to data.
- Protect against unlawful disclosure or use of data.
These protections must cover any "reasonably anticipated" risks. That's why you need to identify and fix any gaps in your security that could turn such risks into reality.
The Security Rule puts much more emphasis on the outcome (meeting the requirements listed above) rather than the methods you use. However, it does list several administrative safeguards that you must comply with. These include having a dedicated security official in charge of compliance; having an authorization and supervision process to control which staff access what data; and having policies to block access from employees who leave the organization. The rule also specifically requires you to carry out risk analysis. To do so you must: "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity." (3) Another requirement is to: "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart [the Security Rule]." As we'll see, penetration testing is one of the best ways to meet these HIPAA compliance requirements in full and more widely benefit your business.
What Is Penetration Testing?
In simple terms, penetration testing falls somewhere between a simulated attack on your network and systems, and a genuine attack. Penetration testing involves somebody (with authorization) actively trying to breach your system. It's real in the sense that they are actually trying to get past your defenses, but simulated in that they aren't trying to cause actual damage or extract and pass on data. The exercise is not just about whether they can get into your system but how they can use that access and extend their reach. Some penetration tests involve hiring a (thoroughly vetted) third party to carry out the "attack." Others involve your own staff running the exercise, either simulating an outsider or starting with limited access rights similar to an employee. Mixing these methods can give a better insight into the security risks from both external and internal attackers. A key part of penetration testing is your IT staff trying to detect and mitigate the breach. Usually they'll know penetration testing is happening but not precisely when the "attacker" will strike.
How Does Penetration Testing Help With HIPAA Compliance?
HIPAA's security requirements aren't about technical checklists where you simply show you have, for example, a specific firewall, a strong password policy, and an up-to-date malware scanner. Instead, the requirements are more about the overall outcome: will your security actually mitigate the risks of real attacks? The main advantage of HIPAA pentesting over a checklist approach (sometimes called a vulnerability assessment) is that it works in the same way as real attacks. A hacker doesn't follow a set playbook but will instead adjust to specific combinations of security measures and vulnerabilities. In particular, they'll often find ways that multiple vulnerabilities, each of which seem minor in isolation, can add up to a major security hole. By using HIPAA penetration testing, assessing the results and making necessary security adjustments, you'll have much more certainty that your defenses can stand up to real attacks. In turn, you can show you've done enough to mitigate "reasonably anticipated" risks as HIPAA requires.
Other Benefits of Penetration Testing
Because penetration testing is so open-ended, its benefits go far beyond simply complying with a particular law. It reduces the chances of attacks that could expose commercially sensitive data. It also reduces the likelihood of an attacker taking down your system or locking it up with a ransomware attack. That helps avoid a range of costs from repairing systems and restoring files to lost staff productivity and lost revenue if you can't process or fulfill orders. Knowing where a penetration test attack was and was not successful is also a great way to prioritize which flaws to fix first. We can help you decide how HIPAA penetration testing can boost your security and aid your compliance. Contact us today and we'll get the process started. References: