Application

HIPAA Penetration Testing – A Primer for Healthcare Security

What is a HIPAA Penetration Test?

A HIPAA Penetration Test executes much of the same test cases a traditional pentest test would, but gives special consideration for protecting Protected Health Information (PHI) and HIPAA requirements.

Just as a HIPAA risk assessment should analyze how well your organization implements patient data safeguards, a HIPAA penetration test dives deeper to analyze how well an application or network protects PHI.

HIPAA Penetration Testing Background

When the HIPAA framework was created, a set of requirements was prescribed to ensure covered entities took measures to protect PHI.

HIPAA Security Challenges

In 1996 the US health system was beginning a major transformation from pen, paper, and fax to modern computing. The overhaul did not come without significant security challenges, many of which can still be felt today.

Fast growth and security debt

Remember Meaningful Use? When providers, vendors, and consultants rushed to meet the certification criteria, meaningful security was mostly an afterthought.

These afterthoughts created substantial “security debt” by the vast majority of the Health IT ecosystem.

Interoperability and attack surfaces

Healthcare technology interacts with an extremely broad ecosystem of technologies and parties. A HIPAA penetration test must consider interactions with these systems to fully identify attack vectors. Familiarity with the healthcare ecosystem is crucial for understanding how to penetrate healthcare applications.

Unique Standards and confusing protocols

Health IT applications use a number of technologies which are not necessarily intuitive to your average penetration tester. HL7, FHIR, and many standards require familiarity to identify security risks.

The better a tester understands these, the fast they can identify misconfigurations and security weaknesses.

Why is a HIPAA Penetration Test Different?

So what is actually difference between pentests in other industries and those in healthcare? Thet differences will vary between applications and networks, but there are a few themes that will likely remain the same.

Lapse of PHI Protection

PHI is not an arbitrary subset of data. In fact, the HHS specifies 18 identifiers that turn health information into PHI. During a HIPAA penetration test, the pentester should be aware of this and understand the significance of the required technical safeguards.

Data Protection Nuances

Data protection nuances do not end by simply understanding PHI. For example, Academic Medical Centers dealing with anonymized or de-identified data have different security obligations for each. A proper HIPAA penetration test should use this same consideration.

Special Technologies

Unique technologies have unique security problems; healthcare IT has no shortage of these technologies and their challenges. Much of these are easy to overlook by your average penetration tester. To give an example, here’s just a few examples:

  • DICOM Imaging – This format developed for radiology can embed full patient records within the metadata of JPEGs. In some instances these images have been published to patient portals leaving deeply sensitive information contained within them.

  • FHIR – The FHIR API is used by a vast number of web applications, but does not necessarily implement authentication and authorization. In several HIPAA penetration tests we have seen improper FHIR implementations allow arbitrary access to health records.

  • HL7 – the plumbing of Health IT; a series of tubes creating a Rube Goldberg machine that is the US Healthcare system. Since penetration testing requires an analysis of data passed in and out of an application, a basic understanding of HL7 is important.

Healthcare Devices

It’s hard to talk about healthcare pentesting without the topic of devices. From bedside insulin to radiology imaging, the clinical world has an IT footprint riddled with outdated or fundamentally insecure devices. A seasoned healthcare pentester has not just a better chance of finding vulnerabilities, but can also provide better remediation advice.

HIPAA and Application Pentesting

Developing a SaaS, mobile, or other software solution that processes PHI?

Applications handling PHI should take special precautions to ensure data is not cached or transferred to unintended recipients. Traditional application pentests often raise a number of low risk issues related to this, but a HIPAA penetration test should take special precautions for these.

Some examples include:

  • Cache Controls – Using web headers such as ‘Expires’, ‘Pragma’, and ‘Cache-control’ must be used to prevent data being stored on shared workstations.
  • Timeout Screen Redirection – When a user session times out, simply expiring the session token is not enough. Web applications should implement client-side code to redirect the user to a login page. This can prevent PHI from being left on screen when a workstation is unattended.
  • Use of GET/POST – HIPAA pentests should take a closer look at GET requests to ensure they do not contain PHI. Remember, this includes phone numbers, names, and IDs which may normally not be of such concern.

HIPAA and AWS Penetration Testing

Although HIPAA does not prescribe guidance specifically for cloud providers, there are some important things to know.

  1. You should be aware of the security capability of AWS services to ensure data is encrypted at rest and transit.
  2. AWS requires a BAA is in place for some customers: https://aws.amazon.com/premiumsupport/knowledge-center/activate-artifact-baa-agreement/
  3. Not all AWS services are eligible for HIPAA applications, it is recommended your cloud stack is examined closely for compliance. https://aws.amazon.com/compliance/hipaa-eligible-services-reference/

For a closer look at pentesting on aws we have a more detailed AWS Pentesting guide.

Scoping a HIPAA Penetration Test

Scoping is one of the most important first steps of a penetration test. It’s so important that we recommend using it when evaluating a pentest company. To begin, you will need to determine if you are focusing on an application pentest, network pentest, or a hybrid mix.

For organizations with SaaS, mobile, and general web applications, an application pentest is likely the best assessment for you. Then choosing the style of test (black box, gray box, or whitebox) is the next important step. The vast majority of organizations will perform gray box assessments, but unique circumstances may change that.

On the network side of things, you should consider whether the testing will cover the external network or internal.

HIPAA Pentesting FAQ

Do I need a BAA for my penetration testing vendor?

The majority of covered entities do not require a BAA from pentesting vendors unless special access is given to production systems storing PHI. By nature, any access to PHI should be incidental during a penetration test.

Does HIPAA require a penetration test?

The HIPAA Security Rule requires a “risk analysis” is performed on the technology storing or processing PHI. Although this does not explicitly require a pentest, a HIPAA penetration test is widely regarded as the most appropriate way to perform this analysis.

Wrapping Up

Experience in Healthcare can make all the difference in a good or bad HIPAA penetration test. At Virtue Security we have been a HIMSS exhibitor for 8 consecutive years and strive to support our Healthcare heroes who save lives everyday.

If you’re curious about what HIPAA means for your application or network pentest, drop us a line and