HIPAA law requires covered entities to safeguard against “reasonably anticipated” threats to protected health information. With healthcare security breaches making all too frequent headlines, the threat of malicious hacking can certainly be reasonably anticipated. In this cyber-war landscape, healthcare organizations have a legal and ethical responsibility to identify and mitigate the likelihood of real-world threats to IT assets and physical security. Penetration testing can strategically position your organization to repel cyberattacks.

Penetration testing, also known as “ethical hacking,” is an authorized software attack on a computer system designed to pinpoint security vulnerabilities that may be present in operating systems, applications, configurations, or risky end-user activity. The test will simulate the practices and methods of external or internal agents attempting unauthorized data access. Think of it as a sort of remote reconnaissance that can evaluate the true effectiveness of your security controls.

A thorough penetration test uses the latest software tools designed to

  • gather information;
  • analyze and exploit vulnerabilities;
  • attempt to crack passwords;
  • decode encryption; and
  • infiltrate operating systems, web applications and wireless networks.

The primary objective is to establish if and where unauthorized system access can be attained. Once security gaps are identified, they should be corrected, and subsequent tests executed until no further vulnerabilities are detected.

But you can’t stop there. Penetration testing should be performed routinely to ensure security controls remain ahead of emerging threats. Hackers are continually sharpening and refining their skills, and new hackers are born everyday thanks to “hacking kits” now available on the dark web. In fact, healthcare IT security is under special attack because the dark web also provides huge pay-offs for stolen Protected Health Information (PHI).

The monetary cost of penetration testing is inconsequential when you consider the impact to your organization if an attacker were to successfully gain infrastructure access. According to the 2018 Ponemon Institute study, it was determined the average total cost of data breaches were $3.86 million, not to mention the negative publicity and reputational damage that will almost certainly ensue. Criminal attacks on healthcare data were up 125 percent compared to the previous five years, while healthcare data breaches cost organizations $408 per record, the highest of any industry. Breaches can also instigate Office for Civil Rights (OCR) investigations, as well as incur additional costs such as credit monitoring fees for affected residents.

It can be very difficult to test, analyze, and remediate your own network vulnerabilities without interrupting your day-to-day business operations. Your IT department may not have the resources or expertise that can be dedicated to the design and implementation of testing methodologies that actively analyze systems for technical vulnerabilities. Consider partnering with a security/compliance firm. A good compliance partner will help you pinpoint real risks to networks, assess the performance of your overall security controls, and provide remediation guidance and support.

Read about a typical Healthcare IT penetration test performed by BlueOrange Compliance:


RiverSpring Health Case Study


To learn how BlueOrange Compliance helps healthcare organizations protect against cyber threats, request a free consult.