What Healthcare Should Know about HIPAA Penetration Testing

Does your healthcare organization do penetration testing? If not, you probably should.

Read our latest white paper, What Healthcare Needs to Know about Penetration Testing.

Did you know that penetration testing can be very useful in finding vulnerabilities in your organization’s security? And yet, many healthcare organizations don’t know much about penetration testing.

Here are some basic things your organization should know about HIPAA penetration testing.

See also: Types of Penetration Testing: The What, The Why, and The How

What is penetration testing for healthcare?

Also known as ethical hacking, a penetration test is basically an MRI for your organization’s data environment.

In a penetration test, analysts will look for and identify potential weaknesses, and try to exploit vulnerabilities. It’s a real-world security testing of the HIPAA requirements you have in place, and a way to see potential problems in your security systems.

See also: Different Types of Penetration Tests for Your Business Needs

Why should I get a penetration test?

‍The HIPAA standard 164.308(a)(8) explains that you need to perform periodic technical evaluations. Penetration testing can be included in these tests, because it’s a good method to check an organizations’ security controls to make sure everything is working properly.

Penetration testing is a better way to test your environment because it goes beyond the automated vulnerability scanning and goes deeper into your environment, looking for potential security problems.

Depending on your security needs, you might need to do an internal and external penetration test.

• Internal Penetration test: pen testers test systems within your organizational network (perspective of someone inside your network)
• External penetration test: pen testers test the system from an open public network outside your organizational network (perspective of a hacker over the Internet)
  

See alsop: Pentesting vs Vulnerability Scanning: What’s the Difference?

Should I use a third party or an internal employee to run the test?

Ultimately, it’s up to you to decide how you want to run the test. If you use an in-house penetration tester, make sure they use the correct testing methodology (NIST 800-115, OWASP Testing, etc.) and are aware of general vulnerabilities and threats present in the industry. The best reason to use a third party is it offers a fresh pair of eyes and perhaps added expertise.

Penetration testers should be knowledgeable about:

• Black hat attack methodologies (e.g., remote access attacks, SQL injection)
• Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
• Web front-end technologies (e.g., Javascript, HTML)
• Web application programming languages (e.g., Python, PHP)
• Web APIs (e.g., restful, SOAP)
• Network technologies (e.g., firewalls, IDS)
• Networking protocols (e.g., TCP/UDP, SSL)
• Operating systems (e.g., Linux, Windows)
• Scripting languages (e.g., Python, Pearl)
• Testing tools (e.g., Nessus, Metasploit)
• Segmentation testing

‍How often should I get a penetration test?

‍You should do a penetration test at least once a year and after any major network changes. Establish what your organization considers a major change; what may be a major change to a small organization could be a minor change to a larger one.

Whenever large infrastructure changes occur, perform a penetration test to see if that new change added any new vulnerabilities.‍

How much does a penetration test cost?

‍The cost of a pen test can vary, depending on various factors, such as:

• Complexity: the size and complexity of your business environment are two big factors in pricing. More complex environments require more labor
• Methodology: pen testers have different ways to conduct penetration tests, some using more expensive tools than others
• Experience: pen testers with more experience will be more expensive, but their tests will be higher quality. Look for pen testers with credentials like CISSP, GIAC, CEH, and/or OSCP
• Onsite: some pen tests will have to be done onsite, which tends to cost more. Onsite visits are also required if you want a physical security or social engineering pen test
• Remediation: some pen testers will include remediation assistance and/or retesting in their price. For others that will cost extra

Taking these factors into account, a penetration test could start around $4,000 and rise well above $20,000.

Remember you usually get what you pay for. Beware of pen testers that offer prices that are too good to be true, since they probably aren’t doing a thorough job.‍

See also: How Much Does a Pentest Cost?‍

Want to learn more about penetration testing in healthcare? Read our latest white paper What Healthcare Needs to Know about Penetration Testing.