Deeper Than the Headlines: Penetration Testing

Have you ever wanted to ask the government, “Well, what about your and your own compliance program?” In other words, have you ever wondered who’s watching the watchers?

The most recent release by the OIG is a summary report of the OIG’s penetration testing of eight HHS operating division networks. So, it’s not just providers who need to be sensitive to cyber attacks, but the government itself needs to make sure it is keeping private data safe and secure.

The OIG determined that security controls across the eight HHS operating divisions needed improvement to more effectively detect and prevent certain cyber attacks. During testing, the OIG identified vulnerabilities in configuration management, access control, data input controls, and software patching. Based on the findings of this audit, the OIG has initiated a new series of audits looking for indicators of compromise on HHS and OPDIV systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors.

The reason the OIG performed these reviews was to determine whether security controls were effective in preventing certain cyber attacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS’ ability to detect attacks and respond appropriately. OIG contracted with Defense Point Security (DPS) to provide knowledgeable subject matter experts to conduct the penetration testing on behalf of OIG. They oversaw the work performed by DPS, and testing was performed in accordance with generally accepted government auditing standards and agreed-upon rules of engagement between OIG and HHS.

Based on their findings, the OIG provided a restricted roll-up report of the results of the testing to HHS. The report included four broad recommendations that HHS should implement across its enterprise. In written comments to the draft summary report, HHS management concurred with the OIG’s recommendations and described actions it has taken or plans to take to ensure they are addressed. HHS also indicated that the operating divisions have incorporated actions to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed.

The rest of the report is confidential, and the specifics have not been released to the public. But knowing the OIG is performing penetration testing on HHS divisions should tell all of us about the importance of performing these kinds of measures proactively, as well as performing a HIPAA Security Risk Analysis, which is a requirement under HIPAA (see 45 C.F.R. § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

Penetration testing is not equivalent to performing a HIPAA Security Risk Analysis. The Security Rule requires analysis of the requirements which are often broken down into administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). By way of example, some of the questions asked during a risk analysis might include:

1. Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
2. What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
3. What are the human, natural, and environmental threats to information systems that contain e-PHI?

There are many, many more questions that need to be asked and the answers, with accompanying documentation, needs to be reviewed. Organizations should then use the information gleaned from their risk analysis as they, for example:

1. Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).)
2. Identify what data to back up and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
3. Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
4. Address what data must be authenticated situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
5. Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

If you need help in meeting this requirement, please give us a call. We have experts and software solutions designed to help in this complex process.