HIPAA Explainer Series: Penetration Testing and Vulnerability Assessment Q&A (Part 5)

Howdy! Welcome back to our HIPAA Explainer Series. Find the answers you need to stay up to speed on all things related to HIPAA Compliance.

This series evolved from questions we received in a recent webinar of ours, "HIPAA Compliance Essentials, Simplified."

If you’re new to the series, you might want to visit Part 1, Part 2Part 3 and Part 4. If you’re already caught up, let’s jump right in and continue down the path to total HIPAA compliance.

Q1: What is the difference between penetration testing and vulnerability scanning? 

Penetration testing (also called pen testing) is a manual process that attempts to exploit any vulnerabilities identified in a network that can be used to gain access to the network, just like a hacker would. Essentially, pen testing evaluates a security control’s ability to prevent a data breach. 

Vulnerability scanning is an automated process, using software or hardware, that identifies potential security holes in a network. Vulnerability scans often generate many false positives. Findings of a scan don’t indicate whether a particular vulnerability can be used to break in and steal data. That is the goal of penetration testing. 

Q2: For an ordinary penetration test, would you try to exploit every vulnerability you found? 

No. Hackers are lazy and, like water, they tend to follow the path of least resistance and use the most obvious vulnerabilities to capture data. 

Q3: Does HIPAA require vulnerability testing and penetration testing?

Strictly speaking, the HIPAA regulations do not have a specific standard or specification enumerating a requirement for penetration testing or vulnerability scanning. 

However, it does require a risk analysis which requires covered entities to understand and document the risks to ePHI. Two significant and important methods for understanding risks are vulnerability scanning and penetration testing. 

In addition, NIST has issued a special recommendation for HIPAA that says, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.” 

Q4: What has changed in the last year to make pen testing more essential?

We’re seeing more externally-derived attacks by known hackers going after healthcare data. ePHI is not just a Social Security number, name, and address; it’s also healthcare records, insurance information, known relationships with doctors, maybe even family relationships. Health record information is extremely valuable on the black market. 

More recently, the prevalence of ransomware attacks on healthcare organizations, most notably at Hollywood Presbyterian and Medstar Health, have further elevated the need for penetration testing. 

Q5: Is identity theft the primary motivation for these big hacks? 

It’s one of the motivations. For healthcare information, many hacks come from either the former Eastern Bloc nations or from nation-state attackers, such as China and North Korea. 

In the healthcare industry though, at least lately, Ransomware attacks are the most high-profile and the cause of the most anxiety. Unlike the theft of data, Ransomware attacks can completely shut down the daily operations of your organization. 

Q6: What is a Ransomware attack? 

It’s a kind of attack in which the attacker is able to insert malicious code onto an entity’s network and encrypt the data. They will only give you the key to unlock the data if you pay a ransom. Essentially, they hold your data hostage. 

Q7: Do any other security regimes require pen testing? 

Absolutely. If a healthcare organization processes routine credit card transactions, they must consider PCI, the payment card industry’s standard for security. The latest version of PCI (PCI DSS 3.1) specifically says that every organization with a significant number of credit card transactions must perform penetration testing on an annual basis. 

Q8: What is a Qualified Security Assessor (QSA) and do I have to have a QSA pen test my healthcare organization? 

QSA is a designation conferred by the PCI Security Standards Council to individuals and companies that meet specific information security education and training requirements. These individuals and companies are approved to perform PCI compliance assessments as they relate to the protection of credit card data. 

For healthcare organizations and HIPAA compliance purposes, a QSA is NOT required. In fact, hiring a QSA is potentially problematic in that their area of domain expertise is credit card standards, not healthcare and HIPAA. Ideally, healthcare organizations should hire a security assessor and pen testing expert with experience in the healthcare domain and HIPAA. 

Q9: How do you find the right company to perform vulnerability scanning and penetration testing? 

Ideally, you would have a company with specific experience in healthcare security expertise. This would ensure they can evaluate your IT resources and identify vulnerabilities, particularly those that fall under the HIPAA Security Rule Standard. Also, a company that offers penetration testing services that are designed to identify vulnerabilities within your current IT resources and help your organization work toward HIPAA compliance. 

Stay tuned for Part 6 of our HIPAA Q&A Series. And, if you’ve got HIPAA-related questions of your own, ask them below in our comments section. Our HIPAA experts will answer them as soon as possible.

If you would like to view the on-demand webinar recording from which these questions arose, you can do so by clicking the button below:

Watch the Webinar On-Demand >>

Questions or Comments?