What to look for in a HIPAA pentest?

What are HIPAA security requirements?

As an overview, the HIPAA Security and Privacy rules involve the reasonable and appropriate security measures to protect the confidentiality, integrity and availability of electronic Protected Health Information, also known as ePHI. This information covers different things like Social Security numbers, names, addresses, healthcare records, insurance information and even family relationships.

Potential issues to protect ePHI can be both technical and non-technical. Examples of technical issues are outdated pieces of software, the use of flawed applications and the implementation of insecure cryptographic algorithms. On the other hand, non-technical issues deal primarily with ineffective policies or procedures, such as too flexible access permission schema, a low rotation of passwords and the lack of response protocols for security incidents.

Is a pentest mandatory?

In order to ensure both HIPAA rules, at least a vulnerability management program is needed, according to RSI Security. This program may contain, or not, a penetration test conducted on a certain basis. Nevertheless, the alternative, a vulnerability scan, seems to fall a bit short given the rise of cybersecurity incidents experienced in the last years.

Why is a pentest a good option?

A pentest is a security assessment made by human testers that involves not only addressing technical deficiencies in a determined environment, such as a mobile application, a SQL database or an internal subnet, but also one of its goals is to look for logic and design flaws. These aspects are hardly covered by a vulnerability scan. That’s why a pentest is an overall good alternative to stay compliant.

Is a HIPAA pentest different from an ordinary one?

At Red Sentry, our pentests always follow a rather standard methodology:

  • It all starts with a reconnaissance phase where information about the target environment is gathered both using “passive” and “active” strategies.
  • With that information, we try to get as much information as possible about the technology being used by the different services working inside the target environment.
  • Once the above phases are completed– usually a vector of attack looks clear, but that’s not always the case– so in order to make sure the environment is safe, we perform a set of attacks on the different services. 
  • Finally, a report containing detailed information about the findings is delivered to the client. 

For a HIPAA pentest, since the ePHI is at the center of the operation, the recon phase should focus on identifying the type of ePHI that is being stored and transported around the environment. Next, the technology stack will give the assessment team a good idea about how data is stored and where the most valuable data should be stored. 

Now, the exploiting phase should emphasize the attacks that directly violate the security and privacy rules of HIPAA. For example, a SQL injection that allows an attacker to extract patient records with personal identifiable information should be prioritized over brute forcing attacks to gain access to an auxiliary application containing performance data about other applications.

Finally, the report should highlight aspects where the HIPAA rules were violated and how they should be mitigated.

There are different kinds of threats out there, which is why at Red Sentry, we provide multiple solutions. Try one of our pentests and discover how your cybersecurity can be improved to the next level.

Andres Pena
Security engineer, developer and economist