Penetration Testing for HIPAA Compliance

by Sarah Harvey / September 27th, 2017

What is Penetration Testing?

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets from malicious outsiders. Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in access to Electronic Protected Health Information (ePHI). The most common penetration testing types include:

  • Internal and External Infrastructure testing focuses on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
  • Web Application testing involves attempting to identify and exploit common web vulnerabilities as well as business logic flaws that could allow an attacker to gain access to sensitive data.
  • Wireless Assessments assess the configuration and protections associated with wireless deployments, which can highlight issues that could allow unauthorized use of this connection. Wireless Assessments can also be performed to identify unauthorized access in your environment by performing rogue access point (AP) identification.
  • Social Engineering focuses on the human element that affects the security of your environment. Through email, phone, and SMS-based social engineering, it is possible to identify areas where employees are likely to fall victim to attackers attempting to convince them to provide information or take other actions that could lead to the compromise of systems and sensitive data. Performing this type of assessment can help your organization to highlight areas that should be strengthened through future security awareness training.

Listen to the full webinar to learn KirkpatrickPrice’s penetration testing methodology, penetration testing approaches, and how penetration testing fits into HIPAA laws.

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework