Skip to content

Offensive Security Experts

Customizable solutions to educate clients, identify security risks, inform intelligent business decisions, and enable you to reduce your attack surface digitally, physically and socially.

Red Teaming®

A multi-layered attack simulation designed to measure how well a company’s people and networks, applications, and physical security controls can withstand an attack from an adversary.

Penetration Testing

Inspects your network, application, device, and physical security through the eyes of BOTH a malicious actor and an experienced cybersecurity expert.

Social Engineering

Commonly known as “people hacking,” we aim to identify venerabilities by accessing a system, device, or physical premises.

Is You're Company Compliant?

RedTeam Security are the experts in helping you meet your industry’s security compliance standards, from banking to healthcare, retail and beyond.

PCI Penetration Testing

NERC CIP Compliance

HIPAA Penetration Testing

FDIC Penetration Testing

Cryptocurrency Compliance

HIPAA Gap Assessments & Penetration Testing: A Double Dose of Security

Written by
Ryan Manship in
HIPAA-gap-assessment

Auditing healthcare organizations, the Department of Health and Human Services found many providers struggling to follow HIPAA rules and manage risk. Yet HIPAA violations are expensive. HIPAA Gap assessments paired with penetration testing can help avert a costly crisis for healthcare providers.

Healthcare Industry Shows Problematic Security Gaps

As recently as September 2017, DHS Office of Civil Rights (OCR) audits found:

  • 94% of organizations had inadequate risk management plans
  • 89% were rated as inadequate on patients’ right to access their protected health information (PHI)
  • 83% had performed inadequate risk analyses.

This is untenable. While the HIPAA Journal suggests, “a few years ago, the risk of discovery of a HIPAA violation was relatively low,” that’s no longer the case. Patients know more, it’s easier to file complaints, and the OCR is actively investigating.

And violations are costly:

  • Penalties for noncompliance, based on the level of negligence, can range from $100 to $50,000 per violation (or per record)
  • Maximum penalty is $1.5 million per year for violations of an identical provision.
  • Violations can also lead to criminal charges resulting in jail time.

Simultaneously, the risk to PHI is increasing. Cyberattacks are common in healthcare. According to Healthcare IT News and HIMSS Analytics study, some 75% of “responding healthcare entities either were or could potentially have been targeted with a ransomware attack” in 2017.

Healthcare providers, hospitals, physician offices, and more are often targeted. Cyber criminals can’t resist the wealth of information in healthcare records (such as Social Security numbers, insurance information, relationship data, and payment processing details).

A March 2019 review of the past six months of headlines at Healthsecurityit.com makes the point crystal clear:

  • 120,000 Health Alliance Patients Impacted by Wolverine Breach
  • Ransomware Attack Impacts EHR of Rhode Island Provider
  • Weekend Ransomware Attack Interrupts Care at 2 Ohio Hospitals
  • Ransomware Attack on May Eye Care Breaches 30K Patient Records
  • Health Data Breach Compromised PHI on 566K CNO Customers
  • Ransomware Attack at Iowa Eye Clinic Puts PHI of 40K at Risk

In Q3 2018, healthcare was the top target for ransomware attacks, with ransom demands jumping to as much as $2.8 million, according to insurer Beazley.

HIPAA Gap Assessments Facilitate Compliance

Healthcare entities need to have their networks and systems locked down to facilitate HIPAA compliance and protect electronic PHI. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a documented risk analysis to evaluate both risks and vulnerabilities and the security measures taken to protect ePHI integrity.

One approach is a vulnerability scan, a high-level, semi-automated test typically run quarterly or semi-annually as a cybersecurity checkup. Another is a HIPAA gap analysis, which is used to discover security problems. This high-level, narrow examination checks “whether certain controls or safeguards required by the Security Rule are implemented,” according to OCR.

But a HIPAA risk assessment or HIPAA-Protocol Audit are not enough. That’s why RedTeam Security Consulting has partnered with the Boulay Group in our newest service offering, a combination penetration test and HIPAA gap assessment. Boulay’s certified technical professionals can advise on information security and technological risk. We build on the foundations their work offers.

More thorough HIPAA penetration testing sees cybersecurity experts working to exploit healthcare vulnerabilities and gain network access. After all, maintaining compliance and ensuring healthcare data security depends on:

  • Identifying environmental security flaws
  • Understanding level of organizational risk
  • Addressing any vulnerabilities identified.

Using the same automated and manual approaches motivated hackers might use to compromise personnel, physical premises, and networks and IT assets, penetration testers dig deeper.

To convey the difference in medical terms, getting an annual checkup from your family doctor or general practitioner is smart, but sometimes you need a specialist’s opinion. When you want to get to the bottom of a particular health concern or issue, you go to the expert in that field. Pen testers are your cybersecurity experts, while the gap analysts are the GPs.

Remaining compliant and avoiding the cost of regulatory fines is the main motivator for healthcare providers. Yet by pairing HIPAA gap analysis with penetration testing, your organization can better develop an integrated defense strategy to drive strategic, operational and enterprise value while readying for cybersecurity threats today and in the future.

Key Takeaway

In partnership with Boulay, RedTeam Security Consulting now pairs HIPAA Gap Assessment with penetration testing. This service assists healthcare organizations in fully meeting regulatory mandates and reducing information security risk. Your penetration testing report will cover all flaws found and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps. Our experts also remain available to you to make sure the path to better protection is clear.

Get a customized pricing quote now in minutes using our self-service pricing tool.

10-Point Offensive Security Checklist

Get A Bird's Eye View Of Your Organization's Security Readiness

Services Datasheet

Recent Posts

Featured On

National TV news and media outlets often consult with us for our expertise as a
boutique, high-touch ethical hacking firm highly trained in a narrow field of cyber
security. Please click on any logo below to view the featured story.