Learning Center Home > Data Security > What Healthcare Needs to Know About Penetration Testing

What Healthcare Needs to Know About Penetration Testing

Data Security


This post contains the text from the White Paper: What Healthcare Needs to Know About Penetration Testing. Download the PDF below.

White Paper: What Healthcare Needs to Know About Penetration Testing

Download Here


Healthcare organizations may have technology and procedures in place to prevent data theft, but it’s difficult for organizations to find every security weakness.

To help protect your network and electronic patient health information (PHI), you need to examine your environment the way a hacker would. Ethical hacking or penetration testing is the art of analyzing network environments, identifying potential vulnerabilities, and trying to exploit those vulnerabilities just like a hacker would. The difference is that these people are on your side.

Penetration testing is vital for your security and can help in reaching Health Insurance Portability and Accountability Act (HIPAA) compliance. In this white paper, you will learn the basics of penetration testing, best practices to prepare for a penetration test, and the cost of penetration testing.



HIPAA standard § 164.308(a)(8) discusses how you need to perform periodic technical evaluations, such as penetration testing. 

Penetration tests are a vulnerability testing approach in which analysts identify potential weaknesses and attempt to exploit vulnerabilities. Think of penetration testing as an MRI for your organization. It’s the real-world security testing of the requirements you believe are in place, and a way to actually see evidence of problems your security systems may have.

Specifically, penetration testers will first run automated scans and then manually test your website, patient portal, or other Internet-facing networks and applications to see if there is a way into your patient data using common hacker tools. If found, the testers report these vulnerabilities to you with recommendations on how to better defend the systems.

For example, penetration testing is particularly helpful for organizations developing their own applications, as it’s important to have code and system functions tested by an objective third party. This helps find vulnerabilities missed by developers. 

Depending on your security needs, you may need to do both an internal and external penetration test. An internal penetration test is when penetration testers test systems (without PHI access) within your organizational network (i.e., perspective of someone inside your network). An external penetration test is when penetration testers test from a perspective of an open public network (Internet) outside of your organizational network (i.e., perspective of a hacker over the Internet).


Do You Need a Penetration Test?

Find out Here


Penetration testers need to conduct an authenticated penetration test. This means you must provide the penetration tester with credentials to access the system, instead of requesting that they try to penetrate their system blindly.

With credentials, the penetration tester can test the system via an administrator role, manager role, or front-desk role, etc. and test if someone with a lesser privilege can get information that should only be accessible to someone with higher privileges.

Make sure to include critical systems in your penetration test. A critical system is any additional system that could affect patient data security (e.g., firewalls, IDS, authentication servers, etc.). Basically, any assets that support and manage PHI access. 


An organization’s IT environment influences the kind of attacks to which they are susceptible. For example, defects in web browsers, software, operating systems, and server interfaces can allow attackers to gain access to an environment. 

Therefore, every security plan should be tailored to each individual network environment. Independent penetration testing can expose many of the weaknesses commonly found in application code (especially home-grown varieties) and is the best course of defense in identifying weaknesses before deployment. 



You need to decide who is performing your penetration test (e.g. in-house or third party).

Penetration testers should be well versed in: 

  • Black hat attack methodologies (e.g., remote access attacks, SQL injection) 
  • Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet) 
  • Web front-end technologies (e.g., Javascript, HTML) 
  • Web application programming languages (e.g., Python, PHP) 
  • Web APIs (e.g., restful, SOAP) 
  • Network technologies (e.g., firewalls, IDS) 
  • Networking protocols (e.g., TCP/UDP, SSL) 
  • Operating systems (e.g., Linux, Windows) 
  • Scripting languages (e.g., Python, Pearl) 
  • Testing tools (e.g., Nessus, Metasploit) 
  • Segmentation testing 

If you hire a third party, make sure the penetration tester you select uses the correct methodology and that you act on the report they give you (i.e., fix the problems they find). Then collect information for your penetration tester such as: have you experienced a vulnerability in past 12 month (e.g., Ransomware)? Did you make changes? Tell your penetration tester about all this information so they can design tests to validate your changes.

If you use an in-house penetration tester, they must use the correct penetration testing methodology when conducting your test (e.g., NIST 800-115, OWASP Testing Guide, etc.). They also need to be aware of general vulnerabilities and threats prevalent in the industry and design tests to check for issues in your networks and applications.

How often should you get a penetration test?

First, establish what your organization considers a major change. What might be a major change to a smaller organization is only a minor change in a large environment. For any organization size, if you bring in new hardware or start accepting patient data in a different way, that constitutes a major change. 

Whenever large infrastructure changes occur, you’ll want to perform a formal penetration test to see if that change added any new vulnerabilities, in addition to annual penetration tests.

Perform a penetration test at least yearly and after major network changes.

Download the latest guide to HIPAA Compliance

Download now


Healthcare organizations often setup large flat networks, where everything inside the network can connect to everything else. They may have one firewall at the edge of their network, but that’s it.

Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.

If all the machines within an organization were in the same network, then all of these machines would have to be evaluated with regards to their security at the same level as the machines within the secure zone. This higher level of testing would result in much higher costs for your organization. 

To help keep your patient data secure, consider network segmentation. Network segmentation is the practice of isolating various systems within an organization so they are not able to access other areas of the network.

There are three main types of segmentation that are typically used today: 

  • Firewall rules
  • Route restrictions
  • Air gap (physically independent infrastructure)

Firewall rules, in particular, is one of the most popular forms of network segmentation. When you create networks with PHI access (e.g., EMR systems) firewalled off from the rest of the day-to-day business traffic, you can better ensure patient data is only sent to known and trusted sources.

For example, you install and configure a multi-interface firewall at the edge of your network. From there, you create one interface on the firewall dedicated just to the systems that store/process/transmit PHI data. If that interface doesn’t allow any other traffic into or out of any other zones, this is proper network segmentation.


Network segmentation can be extremely tricky, especially for those without a technical security background; therefore, perform segmentation checks annually and whenever you make a major change to your network environment.

Segmentation checks are series of tests used to validate that less-secure networks are not able to communicate with high-secure networks connected to the patient data. Basically, segmentation checks are penetration tests that make sure the network segmentation has separated networks that have and don’t have access to PHI. 

Penetration testers validate segmentation by running a port scan (often using Nmap) inside the network without access to PHI to try and discover an IP address inside the PHI environment. If they can’t see any IP addresses inside networks with PHI access, that network segment is validated as properly segmented (or isolated from PHI access).

The desired outcome after scanning is that the tester should not be able to identify any open services within the secure zone. However, there are many reasons that organizations fail their first segmentation check: 

  • Misconfigured firewall 
  • Legacy rules were not removed
  • Third party management service incorrectly added access


Scanning is a difficult task. If the address space of the secure zone is large, then huge number of access attempts are required to fully cover the space. In addition, the behavior of the isolation firewall will sometimes hinder the testing or produce confusing results. In these cases, the tester will sometimes have to make corrections to the testing parameters and retry the tests. This all takes time and considerable skill to perform successfully. 

So while the testing can be performed by a customer in-house against their critical networks, it often makes sense to use the services of outside specialists.

However, if you plan to do in-house segmentation checks, there are a few things to consider. First, make sure the segmentation check is performed by an individual that is organizationally separate from the design, maintenance, or administration of the target environment and is qualified (with documented experience and expertise).

Though segmentation checks can be performed by in-house staff, these checks can be a difficult task and tricky to perform successfully.

Next, depending on the type of segmentation used to isolate less-secure networks the methodology used will differ. The majority of assessments SecurityMetrics performs is target rule-based (typically firewall) segmentation. 

For these types of environments there are three parts to the test included in a standard test:

  • ICMP scan
  • TCP port scan
  • UDP port scan

Where routing restrictions prevent any packets from being delivered to the destined segment, scanning techniques are not required. In these instances, providing evidence (such as traceroutes that demonstrate packets are not routed to the correct firewall) should be sufficient.

For systems that are air gapped, documentation is typically sufficient. Some HIPAA auditors will occasionally request that ICMP, TCP and UDP port scans be performed in order to validate that additional access (across the Internet) does not exists between the two systems. 

White Paper: What Healthcare Needs to Know About Penetration Testing

Download Here


With any security service, cost may vary widely based on several variables, such as:

  • Complexity: The size and complexity of your environment and network devices are probably the biggest factors of your penetration test quote. A more complex environment requires more labor to virtually walk through the network and exposed web applications looking for every possible vulnerability.
  • Methodology: Each penetration tester has a different way they conduct their penetration test. Some use more expensive tools than others, which could raise the price. That’s not necessarily a bad thing. More expensive tools could reduce the time of your test, and produce higher quality results.
  • Experience: Penetration testers with more experience will be more expensive. Just remember, you get what you pay for. Beware of penetration testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. Look for penetration testers with credentials behind their name like CISSP, GIAC, CEH, and/or OSCP.
  • Onsite: Most penetration tests can be done offsite; however, in rare cases that involve very large/complex environments, an onsite visit could be required to adequately test your business security. Onsite visits are also required if you request a physical security or social engineering penetration test.
  • Remediation: Some penetration testers include remediation assistance and/or retesting in their price. Others provide test results and disappear.

With everything above accounted for, typically penetration tests start around $15,000 but can rise well above $40,000.


Whenever your organization makes a significant network change, you should perform penetration tests. Decide what penetration testing your environment needs (e.g., segmentation checks, internal, and/or external penetration tests), and who should perform these penetration tests (e.g., in-house staff or third party vendors).

Typically, penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation. Make sure to take adequate time to address the penetration test report’s advice and fix the located vulnerabilities on a prioritized basis.


We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security. 


Do You Need a Penetration Test?

Find out Here