Since the inception of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, covered entities have had to navigate its murky waters. Those who fail to do so are penalized with hefty fines and requirements to adopt a corrective action plan.
Last year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. In just the past two months, financial penalties have already surpassed that number, with two settlements totaling $1.27 million. This trend points to HHS becoming more stringent with its enforcement of HIPAA, a trend that could be driven by the increase in healthcare ransomware attacks and opportunistic nation state adversaries eyeing the industry as a key target.
In my 25+ years working in cybersecurity, the majority of my time was spent in the healthcare industry, where I held roles such as HIPAA security officer, information security manager, health information technology director, and security auditor for several large health systems.
In these roles, and still today, the HIPAA Security Rule has left me wanting more.
The vague nature of the Rule leaves much of the compliance requirements up for interpretation. The Rule was written to ensure that healthcare organizations are doing what is necessary to protect ePHI – yet there is no explicit mention of penetration testing.
HIPAA is notorious for telling security leaders what needs to be done to achieve compliance, without explaining best practices to get there. Let’s eliminate the gray area and examine penetration testing’s critical role in HIPAA compliance.
What is HIPAA Penetration Testing?
I will start this section off with a harsh truth: There is no such thing as a “HIPAA Penetration Test”. Though we often see the term used in marketing, pentesting has long been an unwritten component within the Security Rule. You can review the full Rule online here.
The following items within the administrative safeguards section touch on security testing criteria:
- Standard 45 CFR 164.308(a)(1)(i): Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
- Implementation specifications 45 CFR 164.308(a)(1)(ii)(A): Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
- Standard 45 CFR 164.308(a)(8): Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
Within this section, you will also find standards and implementation specifications around workforce security, information access management, security awareness training, and contingency planning. All of which can be evaluated and validated through a variety of offensive security engagements, such as pentesting, red teams, breach and attack simulation, or social engineering engagements.
HIPAA does a great job highlighting the requirements clearly, without providing actionable steps to achieve compliance. To help, we put together a checklist to ensure your security testing program meets the needs of Security Rule.
HIPAA Pentesting Checklist
Continuous Penetration Testing
HIPAA requires “periodic” evaluations, particularly in response to environmental or operational changes. The rate of change in healthcare environments has increased exponentially over the years. Continuous pentesting can take form of more frequent tests enabled by a penetration testing as a service (PTaaS) delivery model, or through an attack surface management platform. As a rule of thumb, key moments of change could include version upgrades of software that houses ePHI or architecture changes. At the very least, perform penetration tests on a quarterly basis.
Risk Prioritization, With an Emphasis on Application Security
Are you targeting the applications that pose the greatest risk to your sensitive health information? A pentest that meets HIPAA standards should not stop at vulnerability discovery. Whether you are pentesting internally or working with a third-party partner, work together to identify which application pentests should be prioritized – and, more importantly, align on vulnerability severity definitions and remediation timelines based on your organization’s risk profile.
Validation of Security Controls
It is important to note that pentests can and should also be used to validate your security controls. Are your pentests alerting you to flaws and policy gaps within your identity and access management, threat detection, and other security controls implemented? Additionally, consider breach and attack simulation (BAS) platforms to help evaluate and improve the effectiveness of your detective controls. Learn about the top use case for BAS technology in this Gartner report.
Comprehensive Reporting and Historical Data
Standard 45 CFR 164.316(a) in the HIPAA Security Rule highlights the policies and procedures and documentation requirements. According to the standard, healthcare organizations must maintain a written record of each action, activity, or assessment. They also must retain documentation for six years from the date of its creation. Bonus points to pentesting partners who track and trend historical pentesting reports in a single platform.
The Relationship Between Pentesting and Privacy
HIPAA and other privacy regulations (GDPR, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients. To accomplish this, these regulations all require that an organization’s IT Infrastructure must be secure.
As privacy regulations and standards have evolved, I’ve found that if you are compliant with PCI DSS and are HITRUST certified, it is likely you will be HIPAA compliant as well. Both are significantly more prescriptive and actionable than the HIPAA rules and can help you proactively secure ePHI.
Securing an IT infrastructure involves many steps that we will not get into here, but instead will concentrate on how to ensure that an environment remains in a constant state of security. Regular and sometimes continuous penetration testing is the most effective way to provide continued assurance.
Penetration Testing is used to identify how a hacker can gain access to an environment and provide an organization with a roadmap of how to address those vulnerabilities and findings. Pentesting does not inherently make you secure; it makes you aware of your security flaws.
By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.
A Proactive Approach to HIPAA Compliance
Healthcare security and IT teams should approach HIPAA with a foundational mindset. The requirements outline what you should already be doing and thinking about on an ongoing basis.
Mature healthcare organizations have comprehensive vulnerability management and pentesting programs in place. Pentesting is a powerful first step towards compliance – when done right.
Be proactive, not reactive. Be a leader, not a pawn.