QUESTION: As a third-party administrator, we are a HIPAA business associate that receives, maintains, and transmits electronic protected health information (PHI) for many health plans. Must we run internal and external vulnerability scans or penetration testing to comply with the HIPAA security rule?
ANSWER: Although the HIPAA security rule does not specifically require vulnerability scans or penetration tests, you should consider incorporating these tools into your HIPAA compliance program. Vulnerability scans, which may be internal or external and are usually automated, are designed to identify known vulnerabilities (such as viruses or outdated software) in computer networks, firewalls, routers, and applications. Penetration testing is more targeted, is not automated, and attempts to find holes in security and gain network access—much like a hacker—by exploiting network vulnerabilities.
As a business associate, you are required to conduct a HIPAA risk analysis: an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI that you create, receive, maintain, or transmit on behalf of health plans. HIPAA also requires a risk management plan: security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. And you must perform a periodic technical and nontechnical evaluation of your security safeguards, conducted by your own workforce or through a third party.
Vulnerability scans and penetration tests can be important components of your risk analysis, risk management, and periodic evaluation processes. In addition to helping you evaluate the effectiveness of current protective measures, they can identify new vulnerabilities so you can close security holes before they are exploited by hackers. These tools can also identify security incidents and help you comply with the security rule’s standard for security incident procedures.
Be sure to document the results of vulnerability scans or penetration tests—and any resulting remedial actions—in case you are required to demonstrate compliance with the security rule, e.g., as part of a compliance audit or an investigation by HHS’s Office for Civil Rights. You should also consider sharing cyber-threat indicators with the federal government or information-sharing and analysis organizations (taking care not to disclose PHI) to alert them to newly discovered vulnerabilities and weaknesses.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXV.H (“Guide to Planning for Breach Notification”) and XXX.B (“Administrative Safeguards”). You may also be interested in our upcoming workshop “Negotiating a HIPAA Business Associate Contract from the Plan Sponsor and Service Provider Perspectives” (live on 10/24/18).
Contributing Editors: EBIA Staff.