Editor's note: This is the first blog in a series of articles on HIPAA compliance and is produced in partnership with Total HIPAA Compliance. The next blog in this series will discuss the various methods for training your staff on compliance and can be viewed here.
You come in to work on Monday, log into your practice’s network, and there is a message that a hacker now controls your EHR and wants a ransom to allow you access. How could you have prevented this invasion? One way is by conducting a penetration test. This is a great tool to help determine your vulnerabilities and correct security holes in your network before a hacker can find them.
What is a penetration test, and should you consider one?
A penetration test, or pen testing, is the process of testing a computer system, network, and or web application to find vulnerabilities. A pen test can include remote attacks, testing physical accessibility and phishing tests of your employees. This can be a great tool in conjunction with your HIPAA Risk Assessment to secure all the Protected Health Information you store in your practice.
Does a Penetration Test Replace a Risk Assessment?
No, a pen test can be part of your Risk Assessment, but this will not replace nor cover everything you need to be aware of for HIPAA compliance. The test is looking for vulnerabilities in your computer systems, and will not cover the required documentation of the Physical, Administrative and Security evaluations of your Risk Assessment.
Before you hire a third party to test your system(s), it’s important to perform the required thorough HIPAA Risk Assessment. This means that you have gone through your network and systems and documented your discoveries and vulnerabilities. This can save you lots of time and money and may help you address issues before a test is performed on your systems.
Is Penetration Testing Required?
It is not explicitly mentioned in the HIPAA law, but the National Institute Standards and Technology’s Risk Management Framework (NIST RMF), which is the basis for the HIPAA Security Rule, now encourages organizations to take advantage of penetration testing as a way to help prepare for a potential audit.
Also, there is a provision in the administrative safeguards, § 164.308(a)(8) Standard: Evaluation, that states:
A Covered Entity must . . . perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
A periodic technical evaluation can easily be inferred to mean a penetration test. Armed with this information, one could argue a penetration test is part of the Standard and therefore is required.
What Should You Look for in a Penetration Test?
Typically, pen testing replicates techniques used by hackers to determine how a system will react to an attack, identify weaknesses, and determine what information can be acquired. Testing is performed from multiple angles: evaluating public-facing servers via the Internet, and evaluating your internal network. Using a combination of open-source and proprietary hacking tools, attacks are carried out on these systems, attempting to gain unauthorized access to the servers.
Who Should Perform Your Penetration Testing?
Ideally, this should be performed by a fully credentialed 3rd party. An individual with a Certified Ethical Hacker (CEH) certification or a Licensed Penetration Tester (LPT) is a qualification that the tester should hold. This means a person has a minimum of 2-years’ security experience, and passed a rigorous examination process.
Your IT department or contractor may say they are equipped to do this internally, but if they designed and implemented the system, are they really going to see the holes in the system?
What Should You Receive After a Penetration Test Is Performed?
Upon completion of testing, your 3rd party should deliver a detailed report of steps taken to penetrate your practice’s systems, identify missing/ineffective controls, recommend action-items to secure the business organized in a timeline based on severity, and a description of technical data needed to assist with remediation.
Before you allow the tester on your network, it’s important to clearly define the scope of the test. You may decide to only test specific systems or applications, or you may determine that the entire system needs to be tested. Whatever your decision, you should have these items clearly defined in the scope of your contract.
How Often Should a Penetration Test Be Performed?
Most experts agree that an annual penetration test is sufficient for most practices. However, if you undergo a major technology overhaul, that would require you to have your system retested.
For more information about Pen Testing, please contact Total HIPAA.