Under the HIPAA Security Rule, covered entities must implement security safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. One type of security safeguard that must be implemented is known as an “administrative safeguard.” The administrative safeguard provision of the HIPAA Security Rule is broken into a series of standards, one of which is the evaluation standard. Covered entities must know whether implemented security plans and procedures continue to adequately protect electronic protected health information (ePHI). To obtain this knowledge, covered entities, under the evaluation standard, must implement ongoing monitoring and technical evaluation. One method of technical evaluation is known as a HIPAA penetration testing.
What is HIPAA Penetration Testing?
HIPAA penetration testing, also referred to as pen testing, is testing conducted under the HIPAA Security Rule, by a data security analyst, as part of an effort to identify a covered entity’s potential data security weaknesses and vulnerabilities. A covered entity that wishes to have penetration testing performed, authorizes the analyst to essentially perform what is called “ethical hacking.” Through ethical hacking, the tester, with the covered entity’s consent and approval, aims to replicate the efforts of a malicious attacker, as realistically as possible.
The data security analyst conducting the test, does so by testing your networks, applications, and other security components. Upon completion of the testing, the analyst provides the covered entity with the results of the testing, and provides the covered entity with information as to what weaknesses and vulnerabilities exist within the covered entity’s security environment.
What Kinds of Penetration Testing Can be Performed?
Penetration testing consists of both internal penetration testing and external penetration testing.
External penetration testing is the more common approach to HIPAA penetration testing. This type of testing addresses the ability of a remote attacker to penetrate a covered entity’s internal network. Essentially, external penetration is performed to assess whether someone from outside a covered entity’s network, can access servers or data within the internal network.
In contrast, internal penetration testing is an attempt to simulate what an insider attack could accomplish. The “attacker” – the data security analyst – begins the testing by already having some degree of authorized access, or is starting from a point within the internal network. The access is given beforehand by the covered entity so that the analyst can conduct a test from the perspective of an insider (as opposed to the perspective of an outsider, as is the case with external penetration testing).
Is Penetration Testing Required Under HIPAA?
The HIPAA regulations do not specifically require that a penetration test be conducted. However, the regulations do require that covered entities perform a security risk analysis.
As part of the required HIPAA Security Rule risk analysis, covered entities are required to evaluate risks and vulnerabilities in their environments, and to implement security controls to address those risks and vulnerabilities. Healthcare organizations should have a variety of controls in place, including access controls, audit controls, integrity controls, authentication controls, and transmission security controls.
As noted above, covered entities, under the administrative safeguard evaluation standard, must implement ongoing monitoring and technical evaluation methods. HIPAA penetration testing is such a method – a method of testing the effectiveness of security controls.