Penetration testing is useful when looking for vulnerabilities in an organizations’ computer network. Many healthcare agencies don’t understand penetration testing. Consider HIPAA penetration testing as an MRI for a healthcare facilities data.
Analysts will search, and identify, possible weaknesses and then attempt to exploit that very weakness. Potential problems in data system can be found by testing the ‘real-world’ security of HIPAA requirements in place.
The accepted standard for HIPAA Penetration testing, 164.308(a)(8) calls for regular evaluations of the data security controls. To beat a hacker the hospital’s IT needs to think like one.
The primary standard of HIPAA compliance is for healthcare facilities to run frequent evaluations. Businesses are required to show the computer network is secure and evaluated. Penetration testing is different than vulnerability testing.
A penetration test simulates a real cyber attack and looks at ways a hacker may use in gaining access.
Vulnerability testing, while useful, is not as thorough as penetration testing. For this reason, HIPAA compliance standards require agencies to perform penetration testing as their gold standard in security service protection.
Depending on the specific security needs, an internal and external test must be performed.
Internal Penetration testing includes a systems test within the network, giving the perspective of someone with legal, legitimate access to the computer network.
External testing means evaluating the system from a public and open network, externally of the hospital’s computer network.
The question of using an in-house tester or a third party is up to management. The importing thing is to ensure the correct methodology is used. Additionally, the inspector must be aware of the threats and weaknesses present in the healthcare industry. Although using an internal employee to run the test is less expensive, a third-party tester can offer a fresh pair of eyes and added expertise.
Whichever route is decided is best for a particular organization, testers should know about several tools as a minimum:
- Blackhat methodologies
- Web front-end technology
- Web programming languages
- Network technology and protocols
HIPAA penetration testing should be conducted at least every twelve months as well as immediately after significant changes in the network. Hospital administration can define, for their organization, what is considered a significant modification. What could be an essential change to a small agency may be a minor one to a vast agency?
How Much Does All This Cost?
The price will vary subject to multiple factors including:
- Experience of the testers
- Onsite or offsite testing
Considering all of these factors, a pen test may start at $4,000 and run upwards of $20,000: you get what you pay for. Be on the lookout for pen testers which offer prices too good to be true. A rate which seems low for the system could mean a complete job won’t be done.