HIPAA Q&A on Penetration Testing and Vulnerability Scanning

By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA ChatJoin us on the next broadcast.

Although there is no regulation that explicitly requires vulnerability scanning and penetration testing, assessing the vulnerabilities of your network and IT assets is essential for understanding the risks posed to your organization. In this week’s Q&A, HIPAA Chat host Steve Spearman spoke with Mike Pearson, information security expert, about the differences between penetration testing and vulnerability scanning and how these techniques can facilitate HIPAA compliance.

Q: What is the difference between penetration testing and vulnerability scanning?

A: Penetration testing (also called pentesting) is a manual process that attempts to exploit any vulnerabilities identified in a network that can be used to gain access to the network, just like a hacker would. Essentially, pentesting evaluates a security control’s ability to prevent a data breach.

Vulnerability scanning is typically an automated, high-level process that identifies any possible security holes in a network, but generates many false positives that must be manually verified. This type of scanning is different from a pentest in that it doesn’t always take that next step of trying to use those vulnerabilities to break in and steal data.

Q: For an ordinary penetration test, would you try to exploit every vulnerability you found?

A: No. Hackers are lazy and, like water, they tend to follow the path of least resistance. Therefore when we pentest, we’re only going to use the most obvious vulnerabilities to capture the data we want.

Q: Does HIPAA require vulnerability testing and/or penetration testing?

A: Strictly speaking, HIPAA does not require a penetration test or a vulnerability scan. However, it does require a risk analysis which, effectively, requires covered entities to test their security controls. Two significant and important methods for testing security controls are vulnerability scanning and penetration testing. It is possible that, in the future, an auditor or administrative law judge could, given the prevalence of hacking events in healthcare, render a judgement against a covered entity for failing to do a vulnerability scan.

In addition, NIST has issued a special recommendation for HIPAA that says, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.” It also says to document any deficiencies that are identified in a technically detailed report and include effective, efficient, and clear methods for remediation. That is an NIST recommendation specifically for HIPAA.

Q: What has changed in the last year to make pentesting more essential than ever?

A: We’re seeing more externally-derived attacks by known hackers going after healthcare data. ePHI is not just a Social Security number, name, and address; it’s also healthcare records, insurance information, known relationships with doctors, maybe even family relationships.

Historically, covered entities haven’t locked down their networks adequately, and the more data an identity thief has on any individual, the easier it is to steal their identity.

Q: Is identity theft a primary motivation for these big hacks?

A: It’s one of the primary reasons. For healthcare information, many hacks come from either the former Eastern Bloc nations or from nation-state attackers, such as China and North Korea.

The Eastern Bloc is a hotbed for cyber criminals who are stealing this data to resell it on the black market so buyers can use it for identity theft.

Nation-state attackers are trying to complete dossiers on known agents in order to track these individuals, either for blackmail or to expose the agent’s existence.

Q: Do any other security regimes require pentesting?

A: Absolutely. If a healthcare organization processes routine credit card transactions, they must consider PCI, the payment card industry’s standard for security. The latest version of PCI (PCI DSS 3.1) specifically says that every organization with a significant number of credit card transactions must perform penetration testing on an annual basis.

Q: What is a Qualified Security Assessor (QSA) and do I have to have one pentest my healthcare organization?

A: QSA is a designation conferred by the PCI Security Standards Council to individuals and companies that meet specific information security education and training requirements. These individuals and companies are approved to perform PCI compliance assessments as they relate to the protection of credit card data.
For healthcare organizations and HIPAA compliance purposes, a QSA is NOT required. In fact, hiring a QSA is potentially problematic is that their area of domain expertise is credit card standards, not healthcare and HIPAA. Ideally, healthcare organizations should hire a security assessor and pentesting expert with experience in the healthcare domain and HIPAA.

Q: Does Health Security Solutions do vulnerability scanning and penetration testing?

A: Absolutely. Our healthcare security expertise allows us to evaluate your IT resources and identify vulnerabilities, particularly those that fall under the HIPAA Security Rule Standard. The remote penetration testing services that we offer are designed to identify vulnerabilities within your current IT resources and help your organization work toward HIPAA compliance. If you are interested in learning more about our pentesting and vulnerability scanning services, contact us today!

Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.