Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Operations
Sponsored Content Provided By NetSPI
This content was created by and paid for by an advertiser. The Crain's editorial department was not involved in the creation of this content.
March 01, 2023 01:00 AM

Checklist to comply with HIPAA’s security rule

Chad Peterson, NetSPI

  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    netspi

    Since the inception of the Health Insurance Portability and Accountability Act in 1996, covered entities have had to navigate its murky waters.

    Last year, the Department of Health and Human Services Office for Civil Rights filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. In the past two months, penalties have surpassed that number, with two settlements totaling $1.27 million. This trend points to HHS becoming more stringent with its enforcement. This could also be driven by increased ransomware attacks and opportunistic nation-state adversaries eyeing the industry as a target.

    The HIPAA Security Rule has left many of us wanting more. The vague nature of the rule leaves much of the compliance requirements up for interpretation. It was written to ensure healthcare organizations are doing what is necessary to protect electronic protected health information – yet there is no explicit mention of penetration testing.

    HIPAA is notorious for telling security leaders what needs to be done to achieve compliance without explaining how to get there. Let’s eliminate the gray area and examine penetration testing’s critical role in HIPAA compliance.

    What is HIPAA pentesting?
    Let’s start off with a harsh truth: There is no such thing as a “HIPAA pentest.” Though we often see the term used in marketing, pentesting has long been an unwritten component within the HIPAA Security Rule.

    The following items within the administrative safeguards section touch on security testing criteria:

    • Standard 45 CFR 164.308(a)(1)(i): Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
      • Implementation specifications 45 CFR 164.308(a)(1)(ii)(A): Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
    • Standard 45 CFR 164.308(a)(8): Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

    Here, you will find standards and implementation specifications around workforce security, information access management, security awareness training, and contingency planning. These can be evaluated and validated through various offensive security engagements, such as pentesting, red teams, breach and attack simulation, or social engineering.

    While HIPAA does a great job of highlighting the requirements clearly, here is a checklist to help you meet the needs of Security Rule.

    HIPAA pentesting checklist

    • Continuous penetration testing: HIPAA requires “periodic” evaluations, particularly in response to environmental or operational changes. The rate of change in healthcare environments has increased exponentially over the years. Continuous pentesting can take the form of more frequent tests enabled by a penetration testing as a service (PTaaS) delivery model or through an attack surface management platform. As a rule of thumb, critical moments of change could include version upgrades of software that houses ePHI or architecture changes. At the very least, perform penetration tests quarterly.
    • Risk prioritization, with an emphasis on application security: Are you targeting the applications that pose the most significant risk to your sensitive health information? A pentest that meets HIPAA standards should continue beyond vulnerability discovery. Whether you are pentesting internally or working with a third-party partner, work together to identify which application pentests should be prioritized – and, more importantly, align on vulnerability severity definitions and remediation timelines based on your organization’s risk profile.
    • Validation of security controls: It is important to note that pentests can and should be used to validate your security controls. Are your pentests alerting you to flaws and policy gaps within your identity and access management, threat detection, and other security controls implemented? Additionally, consider breach and attack simulation (BAS) platforms to help evaluate and improve the effectiveness of your detective controls.
    • Comprehensive reporting and historical data: Standard 45 CFR 164.316(a) in the HIPAA Security Rule highlights policies, procedures, and documentation requirements. According to the standard, healthcare organizations must maintain a written record of each action, activity, or assessment. They also must retain documentation for six years from its creation.


    The relationship between pentesting and privacy
    HIPAA and other privacy regulations (GDPR, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients. To accomplish this, all these require an organization's IT infrastructure to be secure.

    As privacy regulations and standards have evolved, if you are compliant with PCI DSS and are HITRUST certified, you will likely be HIPAA compliant. Both are significantly more prescriptive and actionable than the HIPAA rules.

    Pentesting is used to identify how a hacker can gain access to an environment and provide an organization with a roadmap to address those vulnerabilities and findings. It does not inherently make you secure; it makes you aware of your flaws.

    With frequent pentesting, organizations can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.

    A proactive approach to HIPAA compliance
    Security and IT teams should approach HIPAA with a foundational mindset. The requirements outline what you should already be doing and thinking about continuously.

    Mature healthcare organizations have comprehensive vulnerability management and pentesting programs in place. Pentesting is a decisive first step towards compliance – when done right.

    View the Complete Guide to Ransomware Attacks in Healthcare below:


    Download the PDF





    Sponsored by

     

    netspi logo

    To learn more about NetSPI, please visit here. 

    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing