Is pentesting required for HIPAA compliance?

Pentesting, or penetration testing, is not specifically required for HIPAA compliance. However, that does not mean healthcare organizations should not utilize pentesting to assess cyber defenses. Pentesting is an innovative, offensive approach to cybersecurity and safeguarding protected health information (PHI).

Penetration testing lets organizations identify high and low risks, assess operational impacts, measure defensive controls, and meet compliance requirements such as HIPAA.

Related: HIPAA compliant email: The definitive guide

What is pentesting?

Penetration testing is a security technique used to examine cyber vulnerabilities or flaws. Organizations hire cybersecurity experts to hack or penetrate their defenses to find holes to secure. These experts are often called 'ethical hackers' since they simulate cyberattacks to probe for weak threat vectors and access points.

Essentially, there are five types of pentests:

• Internal (i.e., 'white box' or 'white hat' tests): experts investigate internal networks for issues, such as what a disgruntled employee could do.
• External (i.e., 'black box' or 'black hat' tests): experts investigate external-facing security, such as a website, typically from a remote location.
• Open-box: experts are given information about an organization and its security ahead of time.
• Closed-box (i.e., 'single-blind' tests): experts are not given any background information before their investigation.
• Covert (i.e., 'double-blind' tests): experts are not given any background information, and no one, including IT, knows that a cyberattack will occur.

There is also something called hybrid (or 'gray box' or 'gray hat') pentesting that uses a combination of internal and external tests. The type of pentest depends on what an organization needs to check and secure and where the information is located. A great example is PHI stored on a cloud.

HIPAA, evaluation, and risk assessments

HIPAA and its amendments require healthcare practitioners to continuously safeguard PHI. In fact, the HIPAA Security Rule establishes the conditions for such protections. Covered entities and business associates must:

1. Ensure the confidentiality, integrity, and availability of electronic PHI (ePHI)
2. Identify and protect against reasonably anticipated threats
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure workplace compliance

The Security Rule asks healthcare professionals to implement layers of administrative, technical, and physical safeguards. Technical safeguards focus on cybersecurity, while physical safeguards concentrate on facilities. Administrative safeguards focus on effective policies, procedures, and practices that guarantee the security of all systems and the PHI within.

There are several aspects of administrative safeguards to explore but one central part concerns evaluation. Healthcare organizations must conduct regular evaluations or risk assessments to review policies and how they are implemented. Risk assessments can analyze storage, information flow, technology systems, and physical security features, among other aspects of cybersecurity.

The idea is to assess, modify, and monitor risks to effectively protect PHI and avoid HIPAA violations and fines.

Learn more: The 12 steps to HIPAA compliance

HIPAA compliant pentesting

Two significant methods of a proper risk assessment are vulnerability scans and pentesting. While not required by HIPAA, industry experts, and standard organizations agree that pentesting secures HIPAA compliance. For example, the National Institute of Standards and Technology (NIST) provides a penetration testing framework to help confirm secure systems.

Healthcare organizations typically use NIST guidance to develop and maintain cybersecurity under the HIPAA Security Rule. According to NIST, pentesting scrutinizes a healthcare organization's security system for incompliant features. HIPAA compliant pentesting acts as a check and balance for other utilized security features.

Covered entities and business associates can use pentesting to investigate security for:

• Network protocols and operating systems
• Employee training
• Perimeter defenses
• Access controls
• HIPAA compliant email
• Patient portals
• Websites
• Wireless or work-from-home devices
• Medical devices and the Internet of Medical Things (IoMT)

While not required, if pentesting can prevent a breach and HIPAA violation, it is worth it in the long run. HIPAA violations may even result in costly civil and criminal penalties. Therefore, a proactive approach like pentesting reduces the likelihood of HIPAA penalties and ensures the protection of patients' PHI.

General steps to a penetration test

Maintaining the security of patients' PHI is critical to guaranteeing HIPAA compliance. Here are some general steps to an effective penetration test. The details of each step depend on who is hired, what they are testing, and the desired outcome.

1. A healthcare organization authorizes an expert to perform an 'ethical hack.'
2. The expert does reconnaissance, gathering intelligence through analysis and threat modeling to plan a simulated cyberattack.
3. The expert performs the attack, looking for holes within a system and places where PHI may be vulnerable. The idea is to gain and maintain access through a variety of cyberattack tools (e.g., brute-force attacks, SQL injections, and even social engineering).
4. The attack concludes with the expert attempting to cover their tracks to avoid detection. At this stage, gathered information should be isolated and documented for the healthcare organization.
5. Results are shared with the healthcare practitioner so that their security can be updated and tightened where needed.

Once updated, the system should be scanned again and rescanned annually for the same or other weak spots.

Pentesting: not required but needed

Healthcare continues to be the most targeted industry for cyberattacks. Given this, pentesting, while not required by HIPAA, is needed to strengthen the security around PHI. Pentesting analyzes the ability of an organization to defend against accidental and intentional cyberattacks.

When it comes to avoiding cyberattacks, healthcare organizations must be proactive. Preventative and offensive security measures, such as pentesting, are important to expose and patch vulnerabilities. Moreover, penetration tests help fulfill the Security Rule's administrative safeguards, keeping healthcare organizations HIPAA compliant and the focus on their patients.