HIPAA and Penetration Testing – Part II
In the first part of this article, we discussed the basics of HIPAA along with the Privacy Rule and the Security Rule in brief. It must be noted that the Security Rule only applies to ePHI, and it prescribes three types of safeguards – administrative, technical, and physical. Each of these safeguards is discussed in detail below.
The Security Rule
They cover procedures and policies designed by an entity to show how it will comply with the requirements of the act. Requirements related to this safeguard are as follows –
- Policies and procedures must be written, and the designated Privacy Officer should be responsible for their implementation.
- Policies and procedures must be supported by the top management and there must be an inherent motive of the entity to show compliance with the Act.
- Procedures should clearly identify the employees who will have access to ePHI data of individuals. Minimum access should be given such that it is sufficient to complete their KRAs.
- The procedure should essentially address access authorization, establishment, termination, and modification.
- A covered entity must organize training programs for handling of ePHI by its employees.
- There must be a contingency plan to respond in cases of emergency and must include provisions as to backup, disaster recovery, testing activities, change control procedures, failure analysis, etc.
- Internal audits must be conducted at regular intervals, and policies and procedures should document the scope, procedure, and frequency of audits. Audits can be either routine-based or event-based.
- There shall be a procedure for responding and addressing security breaches related to ePHI.
- If any business process is outsourced to any third-party, a covered entity should ensure that the concerned third-party is also HIPAA compliant.
Physical Safeguards control physical access for the protection of protected data (e.g., ePHI) from unauthorized or inappropriate access via –
- Procedure for introduction and removal of software as well as hardware from the network must be documented.
- Access to software and hardware equipment wherein ePHI is stored must be continuously monitored and controlled. At the same time, access must be given only to authorized individuals.
- Minimum access controls required by the Act include facility security plans, visitor sign-in records, maintenance records, etc.
- If a covered entity avails services of an agent or a contractor, the entity must ensure that the said third party is fully trained on their access responsibilities.
- There must be appropriate policies which deal with the proper use of workstations.
The primary goal of technical safeguards is to control access to computer systems while at the same time, enable a covered entity to protect its communications containing ePHI from being intercepted by any other entity other than the intended recipient. Technical safeguards include –
- Stored ePHI must be encrypted; however, if there is a closed network and access control system is efficient, encryption is optional.
- A covered entity is responsible for maintaining the integrity of ePHI stored with it. It can use checksum, double-keying, message authentication, and digital signature to ensure the integrity of data.
- A covered entity should utilize identity corroboration techniques such as two or three-way handshakes, telephone call back, token systems, password systems, etc. to authenticate other entities with which they communicate.
- Policies and procedures prepare by a covered entity must be made available for the government for determination of compliance.
- A covered entity should also maintain a documented record of all configuration settings on network components.
- A covered entity must perform and document risk analysis and risk management.
HIPAA and Penetration Testing FAQs
This section contains some of the most frequently asked questions to our experts. We hope that these answers will be helpful and ease your decision-making process.
Question 1. Is penetration test a mandatory requirement under HIPAA?
As per § 164.308(a)(8) of HIPAA, it is mandatory for a covered entity to perform a periodic technical evaluation for analyzing the security of ePHI. It must be noted that vulnerability assessment and penetration test are two of the most important methods for testing security controls. Herein this term – “technical evaluation” – we can consider penetration tests.
Moreover, in October 2008, NIST published a white paper called An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which suggests conducting of penetration tests to test the effectiveness of security controls, if appropriate and reasonable.
Question 2. We are a HIPAA business associate, and we receive, maintain, and transmit ePHI for multiple health plans. Is it mandatory for us to conduct internal/external vulnerability scans or penetration tests to show compliance with the Security Rule?
As a business associate who is receiving ePHI, you must show compliance with HIPAA and conduct a risk analysis (thorough and accurate assessment of potential risks to ePHI data affecting its confidentiality, integrity, and availability) and risk management (implementing security measures to reduce the existing risks and vulnerabilities to an acceptable level). Just like the previous question, vulnerability assessment and penetration testing can be important parts of your risk analysis and risk management.