Is penetration testing required for HIPAA compliance?

June 22, 2015, Andrew Hicks, Managing Principal, Coalfire

HIPAA has been around for a while now but it still amazes us that some covered entities and business associates fail to comply with a specific standard requirement:  § 164.308(a)(8) Standard: Evaluation.  This standard requires a covered entity or business associate to perform a periodic technical and nontechnical evaluation.   

In this blog post we’re going to focus our discussion on the technical requirement part of this standard.  The evaluation is supposed to establish the extent to which a covered entity’s (or business associate’s) security policies and procedures meet the requirements of the HIPAA Security Rule.  A question is posed: how does an organization evaluate this requirement without performing specific technical testing?

In the information security arena, ‘technical testing’ is normally defined as performing a vulnerability and/or penetration test.  Plain and simple, we aren’t sure of any other way to determine if technical controls mandated by policies and procedures are appropriately implemented without performing some type of technical evaluation that should include a thorough vulnerability and penetration test.   

To further expand on this topic, this testing should be performed by an independent and credentialed expert.  Many times organizations try to save money or cut corners believing that their IT departments can perform their own technical testing.  How is an organization able to accurately identify their security risks if they have the department that’s responsible for these concerns, test themselves?

With the increase of hacking attacks in healthcare and the knowledge that ‘wannabe hackers’ can buy their own DIY hacking kits from the ‘dark web’, healthcare organizations can no longer go without performing these types of evaluations.  In fact, security experts recommend that healthcare organizations perform a minimum of quarterly vulnerability tests and annual penetration tests.  Some may be asking, what is the difference between a vulnerability test and a penetration test?

To explain this difference let’s look at an analogy involving a burglar checking out a neighborhood for a house to break into.  A vulnerability test is synonymous with the burglar checking doors and windows to make sure they’re locked.  A penetration test actually begins when the burglar finds an open door (or window) and gains entry into the house.  (It can also start when the burglar decides to break a window and enter the house.)  A penetration test simulates a potential attack on an organization’s network or application environment that a hacker might perform on a targeted organization.

We help our clients see how susceptible their organizations are to a compromise.  Our testing services are different because we provide a great evaluation as opposed to just a good evaluation through:

  • the quality of the analysis
  • our ability to interpret the findings and translate them into business ‘talk’
  • a strong rationale for justifying expenditures to mitigate risks

Let us know if we can help your organization with the most thorough evaluation, a key step in assuring what your security state is like and getting you into compliance with the HIPAA regulations.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics