Being an IT company that specializes in HIPAA compliance we get a lot of interesting inquiries that leave us scratching our heads. HIPAA penetration testing is one of the areas. We get an inquiry to perform penetration testing for a new customer. Almost always the request is coming from a CE or BA that hasn’t completed their HIPAA Risk Analysis but are certain they just need our help with penetration testing and nothing more.
First, here are some facts we have to clear up concerning HIPAA and Penetration Testing.
- HIPAA does not specifically require penetration testing. It is never mentioned specifically in the law. It is mentioned in the NIST Resource guide which specifically states that penetration testing should be done if reasonable and appropriate.
- You should do a Security Risk Analysis as your first step in HIPAA Security compliance not penetration testing. The Security Risk Analysis is specifically required by HIPAA and is used to help you determine what you need to protect and how you are protecting it now.
The assumption that many people have is that if their perimeter is tested the attackers won’t actually get past the fence. In reality, hackers that are determined to break into a network can usually do so, eventually. Penetration Testing is a term most people can understand. Yes, some off-color definitions come to some people but, overall, we all know it refers to doing an authorized attack on your network perimeter attempting to penetrate your security measures. Many people don’t understand it also involves checking out what damage can be done and data accessed once you have broken into the network.
I believe the best approach, especially for small businesses, is to first confirm you can block the hackers looking for easy targets but then assume they will break in, if they are determined. Put all the reasonable and appropriate measures in place like a business class firewall, secured WiFi and remote access connections on your perimeter. Once that is done, focus on the internal network security measures you need to beef up based on your Security Risk Analysis.
A proper penetration test can be fairly expensive for small businesses. Most of the BAs and CEs we are working with have so many required element gaps they need to spend their money and effort on those areas before penetration testing is even discussed. Especially when you consider the following information from the Ponemon Institute 2013 Cost of Data Breach Study: US:
- Root causes of data breaches across all business types in the study:
- 26% System glitch
- 33% Human error (employee negligence)
- 41% Malicious or criminal attack
- Healthcare breaches have a per capita cost of $305 which is substantially above the $188 overall US average.
- Healthcare breaches tend to result in higher turnover of customers resulting directly from a breach incident (abnormal churn) .
Penetration testing is not the panacea you seek. You should be concerned with preventing breaches not just network hacks. If you do some reasonable and appropriate network security measures to prevent your network from being an easy target you are more likely to suffer HIPAA breaches caused by your employees, business associates or your own systems and procedures. HHS breach numbers clearly show that a very small percentage of breaches, so far, actually involve hacking incidents. The ones that do involve hacking were usually due to lack of basic security measures or human error.