HIPAA Compliance Testing & Penetration Testing Checklist

We all want simplicity, but there’s no getting around that compliance with the Health Insurance Portability and Accountability Act of 1996 is complicated. However, you can use a couple of checklists along with penetration testing of your system to verify that you have hit all the bases.

• Infrastructure Checklist: Verifying Hosting Service Compliance
• Policies & Procedures Checklist: Verifying In-House Compliance
• Penetration Testing: Verifying Actual System Security
• Simplification via HIPAA Compliant Hosting

Infrastructure Checklist: Verifying Hosting Service Compliance

Whether you are a covered entity or a business associate, HIPAA compliance is critical. No one wants their patients to feel that their records are unsafe and could fall into the hands of state-sponsored Chinese hackers (believed responsible for both Anthem and Community Health Systems) or others. Also, no one wants the huge HHS fines associated with violations.

One significant aspect of compliance and the first thing that everyone turns toward when looking at the law is IT systems. Here is an essential checklist for infrastructure and core technologies:

• Firewalls – hardware firewalls, software firewalls, and web application firewalls.
• Two-factor authentication – Set up 2FA on all aspects of your site. Everything requiring a username and password should also necessitate a second factor, typically a numerical code sent to a mobile device.
• Off-site backup – Ensure that all ePHI is backed up at a distant geographical location.
• SSL certificates – This technology should be site-wide, bare-minimum covering all domains and subdomains through which you can access protected information.
• SSL VPN – This type of virtual private network (the standard alternative to an IPsec VPN) uses SSL certificates to facilitate a secure client-server connection through the browser.
• Encrypted VPN – You want the VPN to be encrypted, especially considering whistleblower Edward Snowden’s revelation that the National Security Agency’s XKeyscore system can penetrate VPNs. Attackers could have similar tools.
• Private hosted environment – No resources can be shared.
• SSAE 16 auditing (optional) – If your hosting system meets this standard, it goes above and beyond the security expectations of HIPAA and meets the security parameters of the American Institute of Certified Public Accountants (AICPA).
• Business associate agreement (BAA) – All outside organizations with which you partner must be in a contractual relationship with you, as outlined in a BAA.

Additional resources related to the above:

AICPA – SSAE 16 guidelines

HHS – Security Rule guidelines

Policies & Procedures Checklist: Verifying In-House Compliance

Not everything is technological, so it’s not just about entrusting a hosting company to build your system appropriately. You also need to make sure that you are operationally sound with appropriate policies and procedures:

• Create a security and privacy policy
• Appoint a security and privacy officer
• Conduct regular risk assessments
• Create an email policy that either encrypts all messages containing health data (preferred) or informs patients that emailing the data is risky.
• Create a policy for mobile devices and laptops. Note that unencrypted laptops represent the most common HIPAA violation, while the theft of an encrypted laptop is not even considered a data breach.
• Conduct regular staff training.
• Create a privacy notice to post to your site and hand it out to all patients.
• As established above, confirm that you have business associate agreements signed with all companies that come into contact with your health data.
• Develop a breach documentation and notification policy.
• Set up regular enforcement reviews to guarantee that all privacy and security policies are followed.

Penetration Testing: Verifying Actual System Security

Atlanta security analyst and author Mike Rothman recommends penetration testing over vulnerability scanning to ensure compliance.

What is penetration testing or pen testing? “I also call it ‘security assurance,’” explained Rothman, “and define it as anything and everything that tests where and how corporate networks, systems, and applications can be compromised, as opposed to flagging theoretical vulnerabilities.”

You can think of professionals who make a living in the penetration testing field as white-hat hackers. They utilize the same software and methods, but they typically become much more diverse and granular in their attacks than a run-of-the-mill attacker looking for an easy target.

Third-party penetration testing is required by various laws and standards such as HIPAA, SOX, and PCI-DSS. However, pen testers recommend that their services be performed much more regularly – which seems completely valid given the trend of hackers staying within systems for months (Sony, Anthem, US State Department, etc.).

Rather than simply listing what is vulnerable as a vulnerability scanner does, a penetration test informs you what could be compromised. It goes beyond the technology to look at the human element, a typical target for criminal exploitation.

Plus, vulnerability scanners sometimes turn up false leads. “There are lots of reasons why a vulnerable machine may not be exploitable,” said Rothman. “A scanner will tell security professionals it’s a problem. A pen test will assure them that it isn’t, and that provides a lot of value.”

Simplification via HIPAA Compliant Hosting

Although you want to ensure that all your compliance bases are covered, that doesn’t mean that you want to maintain and monitor the entire infrastructure in-house. Certainly, you have other, more mission-specific things to do, and it’s much safer to trust the credibility of a provider staffed with security professionals who maintain and offer HIPAA Compliant Hosting 24/7/365. We provide complete HIPAA-compliant hosting services, including HIPAA webhosting.

By Moazzam Adnan