Many healthcare providers, covered entities, and business associates are unclear about whether they need penetration testing for HIPAA compliance. As a healthcare industry CISO, this has never surprised me: The documentation on this point is at times unclear, and even compliance consultants have been known to advise on it inaccurately.
In this article, I’ll attempt to clear the muddy waters and outline why it’s critical for any HIPAA compliance program to incorporate penetration testing. The HIPAA Security Rule doesn’t require it by name, but, as I’ll explain, it’s arguably impossible to maintain compliance without it.
(NOTE: If you’re considering a penetration test for HIPAA purposes, our free tool below matches you with a pentest provider with HIPAA expertise, within your budget.)
Penetration Testing Requirements for HIPAA
HIPAA defines a specific class of Protected Health Information dubbed electronic Protected Health Information or ePHI. Simply put, electronic Protected Health Information is any Protected Health Information transmitted or maintained in electronic form. That distinction is critical, though, because ePHI is covered by the HIPAA Security Rule in addition to other HIPAA requirements.
The HIPAA Security Rule can be found under 45 CFR §§ 164.300, et seq. The Security Rule provides HIPAA compliance requirements for electronic systems and the protection of ePHI. There, you’ll find requirements to conduct a risk analysis, implement staff training, validate system auditing, and other associated requirements. What you won’t find: a HIPAA Security Rule standard for penetration testing.
Put differently, there are no HIPAA penetration testing requirements. That being said, it’s nigh impossible to validate that other required controls are working effectively without some form of penetration testing.
Here are some of the requirements for which a penetration test can validate the efficacy:
- Information system activity review (45 CFR § 164.308(a)(1)(ii)(D))
- Access authorization (45 CFR § 164.308(a)(4)(ii)(B))
- Access establishment and modification (45 CFR § 164.308(a)(4)(ii)(C))
- Protection from malicious software (45 CFR § 164.308(a)(5)(ii)(B))
- Log-in monitoring (45 CFR § 164.308(a)(5)(ii)(C))
- Password management (45 CFR § 164.308(a)(5)(ii)(D))
- Response and reporting (45 CFR § 164.308(a)(6)(ii))
- Mechanism to authenticate ePHI (45 CFR § 164.312(c)(2))
Remember, while HIPAA doesn’t require you to affirmatively validate controls, it does require that healthcare organizations ensure the confidentiality, integrity, and availability of ePHI and also protect against reasonably anticipated hazards and threats. With cyberattacks against healthcare organizations at an all-time high, a cyberattack itself is a reasonably anticipated hazard and threat.
How do you protect against a cyberattack? A proactive penetration test is one of the most effective methods available.
Is Vulnerability Assessment Enough?
Vulnerability scanning and assessments are great tools to identify vulnerabilities. Vulnerability scans focus on finding pre-identified technical vulnerabilities in a target environment. Typically, those vulnerabilities involve the presence of deprecated communications protocols, vulnerable software components, or other code and communication-based weaknesses that permit entry into an environment.
Hackers or other threat actors may leverage those to enter an environment, but may not. They could also leverage misconfigurations, weak passwords, or other more administrative controls that aren’t typically picked up by most vulnerability scanners. While there are tools to identify all those kinds of gaps, typically they focus on one or two categories at the exclusion of all others. They perform admirably for their focus, but implementing a solution around those can be costly.
Penetration testing is less robust at detection and more focused on how hackers will exploit vulnerabilities in your environment to gain entry. It’s a technical evaluation starting at your perimeter and working inwards through the network or web applications to get at your critical ePHI data stores. The result of that assessment isn’t just a report of risks and what’s wrong with your environment, but a report that includes important methods for mitigating or remediating the entire attack pathway.
CISO’s Recommendation on Pentesting for HIPAA
I’m a huge fan of penetration testing. I think it’s the single most effective way of measuring an organization’s security posture from an external perspective–the perspective that potential hackers will use to approach an organization. If there are clear methods of entry on the perimeter and the ability to move laterally through a network, then mitigating all the vulnerabilities in the world won’t save your crown jewels.
How Regularly?
I think penetration tests for HIPAA purposes should be conducted at least once per year. That’s not only for healthcare organizations but all organizations.
If you are a covered entity, though, consider penetration testing more than once a year if your IT resources can support that.
Staff, infrastructure, and processes can only work and change so quickly and are likely supporting mission-critical initiatives in addition to addressing penetration test mitigation and remediation. If you conduct pen testing every quarter but are only remediating on what works out to be a biennial basis, then the off-cycle penetration testing is duplicative.
Testing What?
45 CFR § 164.308(a)(7)(ii)(E) requires that applications and data supporting organizational contingent plans need to be identified and scored based on criticality.
Those are likely your crown jewels: EMR, PACS, billing systems, payment systems, critical service support, and other important or critical infrastructure. Some or all of that should be tested, depending on the scope and complexity of your environment.
If that’s too daunting, then ask yourself this question: where would be very bad for a treat actor to gain access? Where is your sensitive data? Whatever your gut reaction says, go with that.
In Combination With?
Penetration tests help in combination with other security controls to provide a comprehensive security program. It’s an integral part of a comprehensive industry-standard security program. Suppose your organization lacks access controls, vulnerability scans, transmission security controls, endpoint security, and other critical cybersecurity efforts. In that case, pen testing will help but it won’t mitigate the worst of your issues. Conversely, if you have all that infrastructure in place, then pen testing will inform the effectiveness of those controls.
It’s important for a Covered Entity to practice the kind of self-reflection outlined in 45 CFR §§ 164.306(b) and (d). Figure out what makes sense and how you’ll implement the security controls or effective alternatives.
What about Medical Devices?
IoT and Medical OT–usually lumped into the header of “healthcare devices”–are out of scope for most penetration testing firms. There are a couple of reasons for that.
First, IoT and Medical OT can dwarf the size of your endpoint and server fleet. That typically exacerbates costs.
Second, when those devices are online, they may be connected to patients. Since there’s no reliable way to validate one is safe to test, outside of taking it completely out of commission, most companies are wary to test.
How Much is Penetration Testing for HIPAA?
Cost will vary based on the size and scope of the engagement. An enterprise-wide pen test for a large healthcare organization could cost hundreds of thousands of dollars. Running through a script of common vulnerabilities or attack pathways may cost a few thousand to low tens of thousands of dollars. The more complex and comprehensive the exercise, the more time-intensive, and therefore the more expensive.
See this article for our comprehensive breakdown of penetration testing costs.
Are there Vendors for HIPAA Pentesting Specifically?
Since there’s no HIPAA penetration testing requirements, there aren’t really HIPAA penetration testing firms. Focus on finding a reputable penetration testing vendor instead.
That being said, if you find a penetration testing firm with healthcare experience, they’ll at least understand your lingo and can make suggestions about potential scope and targets. Certainly, they’ll be able to better tailor their recommendation for your patient-facing needs.
Final Thoughts
There’s no set of standards for HIPAA penetration testing, but it’s arguably helpful in your journey to HIPAA compliance. The lack of HIPAA-compliant penetration testing standards is a boon in that you can pick any reputable vendor to assist and test whatever scope you’d like. The downside is that some vendors may not understand some of the unique challenges facing healthcare, especially in the remediation and mitigation space.
That being said, this is absolutely a space where doing something is miles ahead of doing nothing and you’re well-served by having any reputable ethical hacking supplement your security testing suite. It can help enhance your HIPAA compliance and mitigate a potential data breach.
Penetration testing can also have other ancillary impacts. For example, some business partners and cyber insurance providers require it. So not conducting regular penetration testing can have much broader detrimental impacts.
So there’s a lot of upside in having some ethical hacker compromise your systems and develop a technically detailed report that highlights actual vulnerabilities to your organization so you can protect critical healthcare records. The downside is minimal and really amounts to cost. Just remember, the risks still exist absent a risk analysis, you just don’t know about them.