Medical information is highly valuable – perhaps more profitable to hackers than credit card data. It often includes social security numbers, birth dates, insurance numbers, diagnosis codes, and billing information. Hackers can use this data to commit identity fraud and to secure false prescriptions. It is vital that medical institutions perform regular pen testing to assure themselves, their clients, and their regulatory agencies that data is safe from prying eyes.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is the US federal law that governs the privacy, safety, and electronic exchange of medical information. As part of remaining compliant with HIPAA, medical institutions must perform regular technological tests of their data security. What better way to test a system than to think like the person hacking it? That’s what a pen tester does.
Specifically, HIPAA Evaluation Standard § 164.308(a)(8) applies to penetration testing. A covered entity or business associate is required to perform a periodic technical and nontechnical evaluation. A technical evaluation is typically defined as performing a vulnerability assessment or a penetration test. Essentially, the technical evaluation provides validation that the controls defined in the documentation are actually implemented effectively and working as described. The nontechnical evaluation assesses the plan on paper, whereas the technical evaluation assesses the implementation of the plan. An independent third-party should perform the technical evaluation.
Additionally, NIST has issued guidance (NIST 800-66) for HIPAA that states, “Conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.”