Many of the same test cases used in a typical pentest are also used in a HIPAA Penetration Test, however the emphasis is on protecting Protected Health Information (PHI) and HIPAA requirements.
Like a HIPAA risk assessment, a HIPAA penetration testing digs further to analyze how well your company has implemented patient data safeguards.
HIPPAA penetration testing history
A set of requirements were established as the HIPAA framework was created to ensure that PHI protection practices were implemented by covered firms.
Troubles with HIPAA security
The American healthcare system started making a significant switch from paper and pen to modern technologies in 1996. Several security issues remained after the redesign, many of which still do.
Debt for security and rapid growth
Are you familiar with Meaningful Use? Meaningful security was largely neglected as consultants, vendors, and service providers raced to meet the certification requirements.
These afterthoughts resulted in a large “security debt” for the vast majority of the Health IT ecosystem.
Surfaces for attack and compatibility
Technology used in healthcare interacts with a huge network of parties and technologies. A HIPAA penetration test must look at interactions with various systems in order to completely uncover attack vectors. It’s necessary to be knowledgeable with the healthcare environment in order to comprehend how to hack into healthcare applications.
Unique standards and difficult protocols
Applications for health IT involve a range of novel technologies to the average penetration tester. Having acquaintance with standards like HL7, FHIR, and many others is necessary to spot security flaws.
The more thoroughly a tester comprehends these ideas, the more quickly they may find configuration errors and security problems.
What uniquely defines a hipaa penetration test?
What precisely separates pentests in other industries from those in healthcare, then? Although there will be changes between apps and networks, a few themes are likely to be constant.
Breach of phi protection
PHI is a well chosen set of data. In reality, the HHS lists 18 markers that transform health information into PHI. During a HIPAA penetration test, the pentester should be aware of this and understand the significance of the necessary technological safeguards.
Data protection nuances
Knowing PHI is just the start of the nuances of data protection. For instance, Academic medical device cybersecurity have various security obligations when working with de-identified or anonymized data. This should also be taken into account in a legitimate HIPAA penetration test.
Authentic technologies
Unique technologies pose particular security concerns, and healthcare IT is riddled with these technologies and the problems they bring. The average penetration tester can easily overlook a few of these. Here are a few examples to provide context:
- DICOM Imaging – This radiology-specific format is capable of holding thorough patient records in JPEGs’ metadata. These images, which sometimes include highly sensitive data, have been posted on patient portals.
- Many different web apps use the FHIR API, although it does not always contain authentication and authorisation. In several HIPAA penetration tests, we’ve observed improper FHIR implementations grant unrestricted access to health records.
- The US healthcare system is a Rube Goldberg creation, and HL7 is the plumbing of health information technology. A fundamental knowledge of HL7 is necessary since penetration testing needs a review of data transferred into and out of an application.
Medical technologies
It’s challenging to talk about healthcare pentesting without bringing up electronics. The IT footprint of the healthcare industry is strewn with antiquated or fundamentally weak technologies, from bedside insulin to radiology imaging. A knowledgeable healthcare pentester will find more vulnerabilities in addition to offering better repair support.
HIPAA pentesting and applications
Are you developing a SaaS, mobile app, or other piece of software that manages PHI?
Applications that deal with PHI should exercise extra caution to avoid caching or sending data to the wrong people. A HIPAA penetration test should go above and beyond to solve them, as conventional application pentests usually find a lot of low-risk flaws related to this.
Here are a few illustrations:
Cache Controls – Web headers like Expires, Pragma, and Cache-control must be used in order to prevent data from being retained on shared workstations.
- Redirection of Timeout Screens – Just expiring the session token is insufficient when a user session expires out. Web applications should utilize client-side JavaScript to send users to a login page. This can stop PHI from appearing on the screen when a workstation is left unattended.
- HIPAA pentests should carefully inspect GET requests to make sure PII isn’t contained in them. Remember that this includes IDs, names, and phone numbers that are typically not important.
HIPAA penetration testing and aws
There are a few things to be careful of even if HIPAA does not make any explicit advice for cloud providers.
- To ensure that data is secure both at rest and while being transported, you should be aware of AWS’s security features.
- Some clients are required by Amazon to have a BAA in place.
- Because not all Amazon services are appropriate for HIPAA applications, it’s crucial to properly check your cloud stack for compliance.
Scoping a hipaa penetration test
Scoping is one of the most important first steps of a penetration test. Given how important it is when assessing a pentest company, we encourage using it. You need to choose whether you want to concentrate on an application pentest, a network pentest, or a hybrid mix before you can move forward.
The best evaluation for businesses with SaaS, mobile, and general web apps is probably an application pentest. The selection of the exam style is the crucial next step (black box, gray box, or white box). The vast majority of organizations will conduct gray box analyses, albeit exceptional circumstances could modify this.
You should consider if the testing will cover the internal or external network on the network side.
HIPAA pentesting FAQ
Does my penetration testing vendor need a baa?
The majority of covered entities do not demand a BAA from pentesting vendors unless specific access to PHI is permitted. By definition, any access to PHI during a penetration test would be regarded as incidental.
A penetration test: does HIPAAneed one?
A “risk analysis” of the technology being utilized to store or process PHI is required by the HIPAA Security Regulation. A HIPAA penetration test is generally regarded as the best method to accomplish this evaluation, even if it is not formally necessary.
Turning up
A HIPAA penetration test’s success or failure may depend on one’s expertise in the field of medicine. Since 2010, Virtue Security has participated in HIMSS as an exhibitor. We want to help the healthcare professionals who save lives on a daily basis.
