Mythbusting: Penetration Testing Requirements for GDPR, HIPAA, and Other Regulations 

An important aspect of any company’s cybersecurity posture is knowing the regulatory and compliance requirements that pertain to your business. However, it is equally important to know the resources, processes, and frameworks that can help your company satisfy those requirements.

Familiarizing yourself with cybersecurity tools, such as penetration testing, is critical to improving your cybersecurity posture and to staying compliant with industry regulations. Here are some details to consider:

What is Penetration Testing?

Penetration tests and vulnerability tests act like stress tests to your network and connected devices to locate potential vulnerabilities. Penetration testing is sometimes referred to as ethical hacking, as it is an authorized simulated cyber-attack on a computer system to evaluate the security of the system. The NIST standards framework defines Penetration Testing as:

“a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyberattacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies.”

In addition to utilizing penetration testing, another valuable cybersecurity tool for any company is a network vulnerability scanner. This tool, rather than simulating an attack, runs autonomously to scan your whole network for common or known vulnerabilities and provides detailed reports to help you understand what risks to consider. Both tools are critical to protecting your network.

Is my business required to conduct Penetration Testing?

Different regulations have different requirements when it comes to security testing. For example, The General Data Protection Regulation (GDPR), which applies to organizations that handle personal information related to European citizens (as well as companies who do business with these entities), specifies that data security testing must occur, but does not detail what test to run or how often. Article 32 of GDPR requires:

“a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

Another example is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which serves to assure security and data privacy of sensitive health information. HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers. According to HIPAA, these entities should:

“…perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

Other regulations like the NY SHIELD Act contain similar requirements around regular testing, but also do not specify what tests and how frequently companies should run those tests.

So, what does this all mean?

In short, the best offense is a good defense from both a security and compliance perspective.

While penetration testing may not explicitly be called out to check the box of GDPR, HIPAA, the NY SHIELD Act, or other cybersecurity and data security regulation compliance, businesses should view penetration testing as a tool to maintain a strong cybersecurity posture and help meet federal, state, local, and even customer security compliance requirements.

Stay Safe,

Your Friends @ Defendify