HIPAA and Regulatory Compliance
For organizations participating in Meaningful Use, it's important to take note of that fact that you've attested to being in compliance with the HIPAA Privacy and Security rule. And even if you're not participating in Meaningful Use, you still need to follow HIPAA - and that goes for both Covered Entities and Business Associates. One of the best ways to safeguard your network and ensure compliance with HIPAA is to perform a risk assessment, and to review the security of your network infrastructure.
What Is Penetration Testing?
Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking an attacker. Think about it as quality assurance for your IT security.
Like most our our clients, you probably think that quality assurance is both a sensible and necessary component of providing behavioral healthcare delivery. It’s sensible because it’s good business practice to ensure that your providing good care, and it's necessary because it's usually required by payors, regulators and contracts. Network Penetration Testing is also sensible and often necessary - depending on the structure of your contracts and operating environment.
Some penetration testers prefer the term “security assessment” over “penetration testing,” although they relate to the exact same process. Penetration testers are sometimes called the Red Team, a term that comes from the early days of penetration testing in the military, whereas the Blue Team is the defensive team.
If you wonder how penetration testing relates to port scanning and vulnerability management, you’re not alone. Although they are related, they are quite different:
- Port scanning identifies active services on hosts.
- Vulnerability management identifies potential vulnerabilities on systems based on the installed software version of the operating system or applications.
- Penetration testing involves trying to take control over the systems and obtain data.
The differences between the three are easier to understand if you think of your network as a house:
- Port scanning is like counting the doors and windows on the house.
- Vulnerability management is like walking around the house and lists all the doors, windows and locks that are reportedly insecure based on the vendor and model information.
- Penetration testing is like trying to break into the house by picking the weak locks and smashing a window.
Why Penetration Test?
People conduct penetration tests for a number of different reasons:
- Prevent data breaches: Since a penetration test is a benign way to simulate an attack on the network, you can learn whether and how you are exposed. It’s a fire drill to ensure you’re optimally prepared if there’s ever a real fire.
- Check security controls: You probably have a number of security measures in place in your network already, such as firewalls, encryption, DLP, and IDS/IPS. Penetration tests enable you to test if your defenses are working—both the systems and your teams.
- Ensure the security of new applications: When you roll out a new application, whether hosted by you or a SaaS provider, it makes sense to conduct a security assessment before the roll-out, especially if the applications handle sensitive data. Some example applications includes electronic health record systems (EHR), marketing automation program (MAP), HR’s applicant tracking system, health insurance providers’ benefits management software, etc.
- Get a baseline on your security program: New CISOs often conduct a security assessment when they join a new company to obtain a gap analysis of the security program. This shows them how effective the organization is in dealing with cyber-attacks. These security assessments are sometimes conducted without the knowledge of the IT security team because it could otherwise influence the results.
- Compliance: Some regulations, such as HIPAA, PCI DSS, require gap analysis and penetration tests. Make sure you understand how the penetration test should be conducted to ensure that you will pass the audit.