Menu Icon
< back to main

How to Define & Prepare Your PHI for a HIPAA Pentest

What is HIPAA Compliance?

How to Define & Prepare Your PHI for a HIPAA Pentest
Matt Cooper
Matt Cooper

Matt leads the Security & Compliance team at Vanta. He has spent his 20+ year career in security and information technology. Prior to joining Vanta, Matt was the US Director for the Cyber, Risk & Advisory practice at BSI where he led an information security consultancy providing risk management and readiness consulting for common industry frameworks such as ISO 27001, SOC2, HIPAA, and PCI. Matt also led the US Data Privacy practice and worked as a contract Data Protection Officer (DPO) for customers in ad-tech, healthcare, and marketing, helping customers comply with ever changing global data privacy regulations including GDPR and CCPA. At Vanta Matt works closely with audit partners, advises customers on security and compliance, and provides input to the product team.

What is HIPAA Compliance?

HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law on August 21, 1996. HIPAA’s overarching goal is to keep patients’ protected health information (PHI) safe and secure, whether it exists in a physical or electronic form. HIPAA was created to improve the portability and accountability of health insurance coverage for employees moving between jobs. HIPAA was also created to deal with waste, fraud, and abuse in health insurance and delivery of healthcare, as well as to promote the use of medical savings accounts, provide coverage for employees with pre-existing medical conditions, and simplify the administration of health insurance.

Achieving HIPAA compliance isn’t a matter of proving your company’s adherence to a single static standard. HIPAA’s rules and requirements are intentionally broad and flexible to accommodate the range of types and sizes of covered entities and business associates that create, access, process, or store protected health information (PHI), and that must thus comply with HIPAA.

What is PHI?

Protected health information (PHI) describes health data that is created, received, stored, or transmitted — by electronic media or in any other form or medium — by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services. Protected health information includes individually identifiable health information — i.e. health information that can be connected to a specific person, or information by which an individual could be identified. This could include medical histories, test results, insurance information, demographic data, and other information used to identify or provide healthcare or coverage for a patient. When combined with medical data, other less obvious identifiers such as driver’s license, phone numbers, and email addresses can also be considered PHI in a specific context.

Protected health information is protected under the HIPAA Privacy Rule, which sets standards to safeguard individuals’ PHI and establishes when PHI may be used and disclosed. The HIPAA Security Rule specifies technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).

What is a pentest?

Pentesting, also known as penetration testing, is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or network security defenses by looking for vulnerabilities. These are usually weaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting.

The output of a pentest is a list of vulnerabilities, the risks they pose to the application or network, and a concluding report with an executive summary of the testing along with information on its methodology and recommendations for remediation.

The vulnerabilities found during a penetration test can be used to fine-tune your security policies, patch your applications or networks, identify common weaknesses across applications, and in general strengthen your entire security posture.

Pentest Requirements for HIPAA

With an end goal of identifying that health information remains properly secure, pentesting can bring businesses a few steps closer to HIPAA compliance. While the framework doesn’t explicitly require pentesting or vulnerability scanning, it does call for “periodic technical evaluation”, which is commonly understood to mean pentesting and vulnerability scanning. Both controls will often be a core component to the business’s risk analysis, which is in fact required.

The Pentesting process involves trained security professionals attempting to break into your systems, thus finding vulnerabilities that need to be remediated. As the testers discover vulnerabilities in your network or application, these teams work closely with business operators to relay the real-world impact of different vulnerabilities.

Through the pentesting process, businesses gain a better understanding of the weaknesses in their systems that put patients’ PHI at risk. After remediating these vulnerabilities, businesses can better demonstrate the actions they’ve taken to keep that data secure.

How to Prepare Your PHI for a HIPAA Pentest and Audit with Vanta and Cobalt

Vanta and Cobalt solutions are designed and built to not only prepare you for a successful audit, but also to continuously monitor your control environment in order to maintain and continuously improve your security posture. Here is an overview of the components that are part of this process:

Business Associate Agreements (BAAs)

  • BAAs are required to be signed by all Business Associates that engage with PHI.
  • Vanta makes it easy to collect all your BAAs in one place and confirm you’re sharing ePHI in accordance with HIPAA.

Continuous Monitoring

  • Vanta continuously checks for security measures like encrypted storage and data backup, and ensures that you’re protecting the confidentiality, integrity, availability, and privacy of PHI across your system.

Identify Risks and Mitigation Steps

  • Vanta’s risk assessment helps you identify the unique risks for your business and the patients whose PHI you process, describe their cause, and outline steps you've taken to lessen their potential impact.

Vulnerability Scanning

  • The Vanta Agent can be installed on servers and laptops to identify technical vulnerabilities which require patching or remediation. Implementing a strong vulnerability management process before engaging in a pentest will make the pentest results more valuable.

Pentest Setup

  • Cobalt’s SaaS-like platform guides you through scoping and asset description, helping you document which systems you want pentested and how different infrastructure components affect one another.

Pentest Execution

  • Cobalt’s pentester talent interacts with your security team throughout the test, sharing updates, raising questions, and clearing up details. This keeps the test focused and gives you the opportunity to steer testers in the direction you want.

Remediation and reporting

  • Detailed documentation and direct communication with testers enable your developers to replicate and quickly fix discovered flaws. Cobalt includes a free retest as part of any engagement to confirm that your fixes are effective, and provides a detailed report of the engagement that you can share with your HIPAA auditor as proof of mitigation.