HIPAA defines a broad set of rules to govern how health care providers and related covered entities share and protect patient data. While the scope of HIPAA is far broader than an ethical hacking specialist is concerned, vulnerability assessments are often a vital component of HIPAA compliance. With that said, ethical hackers do not need to be experts on the entire HIPAA regulations, but there are some things they should be aware of.
One of the primary concerns during a vulnerability assessment for a HIPAA covered entity is the transmission and storage of ePHI (electronic Protected Health Information). There are 18 specific items that are considered ePHI:
- Geographic data
- All elements of dates
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
Any unique identifying number, characteristic or code Application vulnerability assessments evaluate sensitive information which may be disclosed to unauthorized parties, however, a good security consultant will always understand that “sensitive” is highly subjective. In the case of a HIPAA covered entity, the above 18 items should all be considered sensitive. Leakage of any data included in the above list can have serious consequences for the covered entity in question. HIPAA violations can have significant financial penalties, so never assume something ever so slightly sensitive is ok to disclose. What may normally be considered a Low Risk information disclosure issue to another industry, can sometimes be a High Risk issue to a HIPAA covered entity.
The Security Rule
HIPAA does not get into the specifics or technical nature of vulnerability assessments. The HIPAA security rule simply mandates that covered entities
“[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” In other words, if you have an application handling ePHI, you need to perform a vulnerability assessment against it. But being so vague is both good and bad. Application vulnerability assessments are highly subjective assessments and risks depend greatly on the business logic used. This is an important freedom to allow security experts to get the job done the right way. This allows the security tester to focus on the actual risk rather than a checklist which may not actually reflect a real life attack scenario. On the other hand, it may allow for misguided decisions to be made about how risk should be identified. Healthcare is an industry that’s no stranger to products with exaggerated or false claims. There is no shortage of software companies who are ready to sell something that may lead organization to believe they are doing their due diligence in identifying risk.
EHR Data Sensitivity
As with any assessment, an ethical hacker is often the last line of defense in protecting against a breach; and a critical aspect of our job as ethical hackers is to protect the people who use these applications. We must not forget the level of sensitivity of data used by HIPAA covered entities and their applications. Special consideration should be given to handling of EMR/EHR records which contain detailed records of medical conditions and history.
Successful business operation is the ultimate goal of any security assessment. While electronic health records are relatively new, healthcare technology has greatly improved the care that individuals receive. Vulnerability assessments can be difficult, but it’s a fact of life that security testing must coincide with application deployment. By keeping both of these requirements in mind we can stay secure and keep moving forward. For more information on Virtue Security services please see our penetration testing services.