Does HIPAA Require Penetration Testing?

Technically, no, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not specifically require penetration testing. But stick with me, because there are some important nuances to make note of here. While the act never specifically calls out vulnerability scans or penetration testing, there are a number of industry experts and standards organizations (including NIST) that agree that, where feasible for an organization, penetration testing is one of the best ways to meet several HIPAA requirements. We’ll set aside the fact that penetration testing is one of the recommended best practices for an organization’s security program and an integral part of continuously monitoring the effectiveness of security efforts. Instead, let’s focus on how penetration testing can help you meet a variety of HIPAA requirements, even though it’s not necessarily spelled out.

What Requirements Can Penetration Testing Help With?

The section of HIPAA that addresses “Evaluation” (§ 164.308(a)(8))51 specifically calls out “period technical and non-technical evaluation”  methods. On page 31 of their HIPAA guidance, NIST even calls out external and/or internal penetration testing as the recommended method of meeting these technical evaluation requirements, where reasonable and appropriate. Organizational size and budget can factor into this decision, but there’s no better and more realistic way to determine the effectiveness of your security controls and understand the real risks to electronic protected health information (ePHI) in your environment.

Additionally, the “Information Access Management” (§ 164.308(a)(4))27 portion mentions evaluating “security measures related to access control” and determining the effectiveness of authentication methods at preventing unauthorized access to ePHI and security-related assets. One of the primary objectives of a penetration testing team is to find ways to bypass access controls that are in place in order to gain unauthorized access to organizational systems.

Finally, the HIPAA Security Rule calls out a number of objectives that are all supported by regular security testing, including vulnerability scanning and penetration testing. Specifically, the following can all be demonstrated via security testing:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures;

Other Considerations

You may still be saying to yourself, “OK I can see how some penetration testing might be helpful but if it’s not really required why bother.” Well one important point here is, if you choose not to meet those requirements and objectives above via some type of security testing, such as vulnerability scanning or penetration testing, how do you plan on meeting them? You may be pretty hard pressed to find a means of reasonably complying without doing penetration testing. I have not heard of an alternative means of technical evaluation that wasn’t slightly concerning from a due diligence perspective. As with many compliance and security objectives, an ounce of prevention could save your organization a lot of future heart aches, as HIPAA negligence can be accompanied by some pretty stiff fines in the wake of a data breach. Just ask organization’s like Horizon Blue Cross or one of many universities hit with fines.

The other benefits from having a third-party handle some of this evaluation and measurement include the face that you get an objective report on your organization’s security posture. This can show to an auditor that you are making a best effort to have an expert evaluate your organization, that you’re making changes and updates based on the results, and that you are understanding and managing your risk appropriately. Security testing documentation feeds into a successful risk management program (which is also a HIPAA requirement).

So to recap – Does HIPAA require penetration testing? No. But you may find it difficult to truly meet HIPAA requirements and the intent of the regulation without some kind of security testing program and the associated documentation that demonstrates technical evaluation of security controls. What’s important is figuring out what is reasonable for your organization, based on size, budget, and scope of ePHI in your environment.