.

HIPPA Regulations for Pen Testing

<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Aug 15, 2013 7:12 am

HIPPA Regulations for Pen Testing

Hello everyone, My company has been approached by a healthcare facility to do a pen test. I am wondering if anyone on here has any experience with regulations or certain things that need to be done specifically with healthcare. Specifically HIPPA regulations.

Thanks.
<<

El33tsamurai

User avatar

Full Member
Full Member

Posts: 219

Joined: Sat Feb 03, 2007 4:01 pm

Post Thu Aug 15, 2013 7:53 am

Re: HIPPA Regulations for Pen Testing

Have you done research on this? What have you found so far?
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Aug 15, 2013 8:05 am

Re: HIPPA Regulations for Pen Testing

I have done some research and the only thing I have found was a NIST document relating to the HIPPA Security Rule. That details risk analysis from an internal stand point but I am not sure how it takes into account specifically a targeted attack from a contracted company. I know that legally there have to be a business associate agreement but past that I haven't found anything else.
<<

testdotphp

User avatar

Newbie
Newbie

Posts: 6

Joined: Tue Jul 02, 2013 7:39 am

Post Thu Aug 15, 2013 8:15 am

Re: HIPPA Regulations for Pen Testing

Well, I'd start with the acronym before even considering testing. It's HIPAA (Health Insurance Portability and Accountability Act).

One thing to strongly consider and discuss with the client would be the need for a BAA (Business Associate Agreement). A BAA is a contract between a healthcare provider and a business that may have access to PHI (Protected Health Information), which is possible during a penetration test. Even if you narrowly scope it to avoid things like an EMR (Electronic Medical Record) system, a tester may run into PHI. I recently ran across a drug screen result report on an employee laptop during an investigation. It was their report, but it was PHI that needs authorization for access.

HIPAA does not require "penetration testing" specifically as a method to test certain controls. However, HIPAA does require that controls are frequently audited (just like any other "compliance thing") and that certain controls are in place (compliance thing again) to protect health information. Looking at recent audits, risk assessments, or other testing would be a good place to start when scoping the pen test.

Also remember, determine which systems are critical. In the case of a healthcare provider, it can really be a case of life or death if a critical system goes down. If a first responder alert system stops "talking", it is a pretty big deal.

That's a start...


(Took a while to type this up...but like you said above - BAA.)
Look into the requirements for HIPAA and understand why it was started and what the goal of it is. The requirements are actually more straightforward and simple than things like SOX. Get balls deep into it all and figure it out. Lots of stuff out there.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Aug 15, 2013 8:23 am

Re: HIPPA Regulations for Pen Testing

Thanks! That is a great start thank you for you help and pointing me in the right direction. I do agree though that a BAA is a very huge piece that needs to be in place before anything can happen on either side.
<<

testdotphp

User avatar

Newbie
Newbie

Posts: 6

Joined: Tue Jul 02, 2013 7:39 am

Post Thu Aug 15, 2013 8:28 am

Re: HIPPA Regulations for Pen Testing

You're welcome.

I am sure that the client would know enough to require a BAA, but looking into why will help you understand that they aren't just being jerks; it really is a strong requirement to protect them (and patients and employees as well).

Good luck with all of it and let us know if you have any other questions, or just how it goes in general, once it gets into full swing.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Aug 15, 2013 8:31 am

Re: HIPPA Regulations for Pen Testing

Will do I have found this to be a great recourse in getting information and things going.

Return to Other

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software