- The difference between penetration testing and vulnerability scanning can be rather confusing for some. Penetration testing, also referred to as pentesting, is a manual process used to identify and recognize possible risks and vulnerabilities within a network that can be used to gain access to that specific network, similar to the actions of a hacker. Within an ordinary penetration test, security experts use the most obvious risks and vulnerabilities to obtain the data they want. Primarily, pentesting asses the security controls’s ability to reduce the risk of a data breach. Vulnerability scanning is an automated, high-level assessment that recognizes any potential security holes within the network. The problem seen within this process is the outcome of false positives which requires manual verification. This scanning process is different from that of the pentest due to the fact that it doesn’t always require the second step of assessing and using the vulnerabilities within the network to break in and steal data.
- HIPAA does not require a penetration test or vulnerability scan, however the completion of a risk analysis is required which, effectively, requires covered entities to evaluate and test their security controls. Two crucial and significant processes used for testing security controls are penetration testing and vulnerability scanning. In the future, it is possible that an auditor or administrative judge could, under the circumstances of hacking events in healthcare, render a judgement against a covered individual for failing to complete a vulnerability test. The National Institute of Standards and Technology has released a recommendation specifically for HIPAA that states, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.” It also advises to document any discrepancies that are recognized in a technically detailed report that include productive, and effective processes for remediation.
- Pentesting has grown to be more essential as the years go on, externally-derived attacks by hackers going after healthcare is on the rise. Electronic protected health information is not only a social security number, name, and or address; it is also insurance information, healthcare records, and established relationships with both doctors and family. In the past, covered entities didn’t lock down their networks efficiently, and the more data accessible to an identity thief has on an individual, the easier it is to steal both their identity and information.
- Identity theft is one of the primary motivations behind these catastrophic hacks and or data breaches. When it comes to healthcare information, many of these hacks derive from the former Eastern Bloc nations or from nation-state attackers such as China and North Korea. The Eastern Bloc is seen as a “hotbed” for cyber criminals whose goal is to steal this data to resell it on the black market for buyers to use this information to complete identity theft. Nation-state attackers are motivated by completing dossiers on known agents in order to track these individuals, primarily for the purpose of blackmail or to expose the existence of the agent.
- Many other security regimes require pentesting. If a healthcare organization handles and processes routine credit card transactions, they must acknowledge the payment card industry’s standard for security. In the most updated version of PCI (PCI DSS 3.1) it states that every organization with a substantial amount of routine credit card transactions must complete penetration testing on an annual basis.
For over 16 years, Kinetix Solutions has been a leading provider of Managed Services, Professional Services, Voice Over IP (VoIP), Internet Solutions, Cloud Hosting, and Custom Development. Local support teams paired with a fully staffed 24/7 Tech Support Center provide customers with a seamless and cost-effective business technology solution. Our approach allows for clients to focus on their core business or product offerings and operate smoothly. In addition to these core offerings, Kinetix Solutions also provides social media management along with access to enterprise and Business Intelligence, Social Media, Search Engine Optimization (SEO), and Web Solutions through our industry leading partnerships.
To get more information or schedule a FREE assessment to learn how we can improve your business today, call us at 855-4-TEK-NOW (855.483.5669).