Penetration Testing for Healthcare: 5 Things to Know

Hiring an ethical hacker to break into your network, website, Wi-Fi or any other part of your infrastructure serves as a form of penetration testing, which can help identify key vulnerabilities before they’re breached. The process, though costly, can avoid the financial and reputational toll of real-life hacking. And many compliance regimes, including HIPAA, encourage or require such tests regularly.

MORE FROM HEALTHTECH: Learn how facilities are confronting data breaches head-on.

1. What should I ask a penetration tester to do? Define the scope tightly. Start with the highest-risk applications, such as internet-facing patient or healthcare provider portals. Penetration testing can be general or deep, so pursue broad (but not overly broad) tests first. As you gain more insights, conduct more specific testing in a particular vertical area.

2. White box or black box testing: Which is best? White box testing provides inside information, simulating a document leak or the act of a careless staffer; black box testing offers no context. As a result, white box testing is likelier to uncover problems. Black box testers have less time to penetrate than a true attacker would, however. Consider alternating between both options.

3. Do I tell my IT team that we are testing? Absolutely, but only after the test is complete. In addition to the tester’s report, get a report from your own IT security team on what their systems caught during the unannounced testing and what was missed. This is an excellent chance to tune your own systems to distinguish between Internet background noise and an attack.

4. If a tester doesn’t get in, am I secure? A penetration test is like a Rorschach test: It isn’t always the end answer but the journey that is most enlightening. Sure, a tester may fail to crack the goal but they always discover something you didn’t know that needs fixing or shielded along the way. There’s no hard “pass” or “fail.”

5. How often should I be testing? Test often enough to be useful but not so often as to be annoying. Examine how much time it takes to absorb and fix any deficiencies, then schedule your next test six to nine months after. Significant events, such as a HIPAA audit or a systems upgrade, may trigger or delay subsequent tests.