Atlantic.Net Blog

HIPAA Compliance Testing & Penetration Testing Checklist

Editorial Team
by Atlantic.Net (254 posts) under HIPAA Compliant Hosting

We all want simplicity, but there’s no getting around the fact that compliance with the Health Insurance Portability and Accountability Act of 1996 is complicated. However, you can use a couple of checklists along with penetration testing of your system to verify that you have hit all the bases.

  • Infrastructure Checklist: Verifying Hosting Service Compliance
  • Policies & Procedures Checklist: Verifying In-House Compliance
  • Penetration Testing: Verifying Actual System Security
  • Simplification via HIPAA Compliant Hosting

Infrastructure Checklist: Verifying Hosting Service Compliance

Whether you are a covered entity or a business associate, HIPAA compliance is extraordinarily important. No one wants their patients to feel that their records are unsafe and could fall into the hands of state-sponsored Chinese hackers (believed responsible for both Anthem and Community Health Systems) or others. Also, no one wants the huge HHS fines associated with violations.

One major aspect of compliance and really the first thing that everyone turns toward when they look at the law is IT systems. Here is a basic checklist for infrastructure and core technologies:

  • Firewalls – hardware firewalls, software firewalls, and web application firewalls.
  • Two-factor authentication – Set up 2FA on all aspects of your site. Basically everything that requires username and password should also necessitate a second factor, typically a numerical code sent to a mobile device.
  • Off-site backup – Make sure that all ePHI is backed up at a distant geographical location.
  • SSL certificates – This technology should be site-wide, bare-minimum covering all domains and subdomains through which you can access protected information.
  • SSL VPN – This type of virtual private network (the standard alternative to an IPsec VPN) uses SSL certificates to facilitate a secure client-server connection through the browser.
  • Encrypted VPN – You want the VPN to be encrypted, especially considering whistleblower Edward Snowden’s revelation that the National Security Agency’s XKeyscore system can penetrate VPNs. Attackers could have similar tools.
  • Private hosted environment – No resources can be shared.
  • SSAE 16 auditing (optional) – If your hosting system meets this standard, it is going above and beyond the security expectations of HIPAA to also meet the security parameters of the American Institute of Certified Public Accountants (AICPA).
  • Business associate agreement (BAA) – All outside organizations with which you partner must be in a contractual relationship with you, as outlined in a BAA.

Additional resources related to the above:

AICPA – SSAE 16 guidelines

HHS – Security Rule guidelines

Policies & Procedures Checklist: Verifying In-House Compliance

Not everything is technological, so it’s not just about entrusting a hosting company to build your system appropriately. You also need to make sure that you are operationally sound with appropriate policies and procedures:

  • Create a security and privacy policy
  • Appoint a security and privacy officer
  • Conduct regular risk assessments
  • Create an email policy that either encrypts all messages containing health data (preferred) or informs patients that emailing the data is risky.
  • Create a policy for mobile devices and laptops. Note that unencrypted laptops represent the most common HIPAA violation, while the theft of an encrypted laptop is not even considered a data breach.
  • Conduct regular staff training.
  • Create a privacy notice to post to your site and hand out to all patients.
  • As established above, confirm that you have business associate agreements signed with all companies that come into contact with your health data.
  • Develop a breach documentation and notification policy.
  • Set up regular enforcement reviews to guarantee that all privacy and security policies are followed.

Penetration Testing: Verifying Actual System Security

Atlanta security analyst and author Mike Rothman recommends penetration testing over vulnerability scanning to ensure compliance.

What is penetration testing or pen testing? “I also call it ‘security assurance,’” explained Rothman, “and define it as anything and everything that tests where and how corporate networks, systems and applications can be compromised, as opposed to flagging theoretical vulnerabilities.”

You can basically think of professionals who make a living in the penetration testing field as white-hat hackers. They utilize the same software and methods, but they typically become much more diverse and granular in their attacks than does a run-of-the-mill attacker who is looking for an easy target.

Third-party penetration testing is actually required by various laws and standards such as HIPAA, SOX, and PCI-DSS. However, pen testers recommend that their services be performed much more regularly – which seems completely valid given the trend of hackers staying within systems for months (Sony, Anthem, US State Department, etc.).

Rather than simply listing what is vulnerable as a vulnerability scanner does, a penetration test informs you what could be compromised. It goes beyond the technology to also look at the human element, a typical target for criminal exploit.

Plus, vulnerability scanners sometimes turn up false leads. “There are lots of reasons why a vulnerable machine may not be exploitable,” said Rothman. “A scanner will tell security professionals it’s a problem. A pen test will assure them that it isn’t, and that provides a lot of value.”

Simplification via HIPAA Compliant Hosting

Although you want to make sure that all your compliance bases are covered, that doesn’t mean that you want to maintain and monitor the entire infrastructure in-house. Certainly you have other, more mission-specific things to do, and it’s much safer to trust the credibility of a provider staffed with security professionals who maintain and offer HIPAA Compliant Hosting 24/7/365. We provide complete HIPAA compliant hosting services, including HIPAA website hosting.

By Moazzam Adnan

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

How to Install Python 3.10 on Rocky Linux 8
How to Install TaskBoard on Rocky Linux 8
How to Set Up Pritunl VPN Server on Rocky Linux 8
How to Install Teampass Password Manager on Rocky Linux 8
How to Install and Configure RabbitMQ Server on Rocky Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom