Why Healthcare IT Expertise Is Crucial to a Quality Penetration Test for Covered Entities and Business Associates

Pent Test

With the increased severity and frequency of all forms of cybercrime, it’s not surprising that the demand for penetration testing as a preventative measure has grown enormously.

Properly done, a penetration test can provide a valuable overview of where vulnerabilities exist that can be exploited by hackers – and give guidance as to how to prioritize which risks to address at what relative cost and impact.

A penetration test, also known as a pen test, is essentially a simulated cyberattack. The testers are trying to break into your IT infrastructure in any way they can to inflict damage.

On one hand, the skills needed to attack IT systems are the same across many industries, including technical methods of penetration, impersonation, and lateral movement. However, deeper knowledge of an industry, as well as its specific IT systems and business models, is required to produce a test that delivers the most beneficial insight.

Why Is Industry Experience Vital When Conducting Pen Tests?

While a computer network of endpoints, systems, and servers may look the same from a technology perspective, their importance and risk if penetrated vary significantly. If the penetration test team doesn’t understand the difference between a revenue cycle data stream and an ADT (Admit, Discharge, Transfer) data feed, it will be difficult to truly know where the most glaring vulnerabilities exist and how to fully stress their protections.

Without a thorough grasp of a patient’s journey through a healthcare system, how can testers adequately stress the underlying applications and their exposed endpoints to mimic potential lateral movement inside your systems by a hacker?

To evaluate a potential penetration test team partner, ask questions that get to the heart of their experience and delve into scope and price considerations.

Six Questions to Ask a Potential Pen Test Team

Once potential service providers have demonstrated the needed technical requirements, be sure to ask the following questions:

  1. Does the team have experience with HIPAA, NIST, HITRUST, or 405(d) security frameworks? Have they ever represented a client who faced an OCR audit? If so, how many times, and what was their pass rate?
  2. Have they reviewed your latest HIPAA SRA, NIST assessment, 405(d) assessment, outstanding remediations, and remediations addressed over the last 12 months?
  3. If yes to the above, have they then been able to give you a prioritized list of essential test areas and potential vulnerabilities with a sufficient explanation?
  4. Have they reviewed any system changes you have made since their last penetration test or security assessment? Have they even asked the question?
  5. Have they performed or reviewed a basic analysis of your prioritized third-party risk exposure and suggested testing methods?
  6. Can they offer you a full black box, gray box, and white box set of test options? As email phishing is the leading cause of initial hacker penetration, you must test internal and external vulnerabilities.

Pen Test Pricing and Scoping Considerations

Price is only one variable when considering a penetration test. You may have heard the saying, “The patient who looks for the cheapest brain surgery is bound to have long-term thinking problems.” Instead, consideration must be given to the breadth and depth of the penetration testing.

Here are five questions to ask when pricing and scoping a pen test solution:

  1. How much of your IT infrastructure will the provider test?
  2. How deeply will they test, and what kinds of simulated attacks are they planning to perform?
  3. How many tests have they performed of comparable scope and complexity for organizations like yours?
  4. How would they scope a test at half the price? What would they leave out and why?
  5. How would they prioritize adding parts of the test back to their current price quote?

If the provider is unclear when explaining the value add/potential risk reduction for changes in scope, that’s a sign to look for a different partner.

Look for Healthcare IT Expertise When Choosing a Penetration Test Provider

The goals of penetration testing are risk analysis and reduction. The provider you choose should have expertise that goes beyond IT, as understanding your healthcare delivery model is crucial to providing meaningful risk verification services. Look for a provider with experience in both IT AND healthcare.

Need help with pen tests? Contact us to get started.

About the Author
Avatar photo

George Pappas, Chief Executive Officer

George C. Pappas, CEO of Intraprise Health is a high-tech executive with more than 35 years’ experience working with a wide range of software companies - from $5M to over $100M in revenue. He has led R&D teams in the US, India, Russia, Poland, and China, and is an active member of CHIME.