HIPAA (Health Insurance Portability and Accountability Act of 1996) is the US federal law that governs
the privacy, safety, and electronic exchange of medical information. As part of remaining compliant with HIPAA, medical
institutions must perform regular security control validation of their data security. What better way to test a system
than to think like a hacker. Breachlock offers automated penetration testing to meet HIPAA compliance
Specifically, HIPAA Evaluation Standard § 164.308(a)(8) applies to penetration testing. A covered entity or business associate is required to perform a periodic technical and nontechnical evaluation. A technical evaluation is typically defined as performing a vulnerability assessment or a penetration test. Essentially, the technical evaluation provides validation that the controls defined in the documentation are implemented effectively. The nontechnical evaluation assesses the plan on paper, whereas the technical evaluation assesses the implementation of the plan. An independent third-party should perform the technical evaluation.
Additionally, NIST has issued guidance (NIST 800-66) for HIPAA that states, “Conduct penetration
testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness
of security controls), if reasonable and appropriate.”
Although HIPAA only specifies a penetration test annually, BreachLock recommends a quarterly program that includes security control validation.