Mythbusting: Penetration Testing Requirements for GDPR, HIPAA, and Other Regulations 

An important aspect of any company’s cybersecurity posture is knowing the regulatory and compliance requirements that pertain to your business. However, it is equally important to know the resources, processes, and frameworks that can help your company satisfy those requirements.

Familiarizing yourself with cybersecurity tools, such as penetration testing, is critical to improving your cybersecurity posture and to staying compliant with industry regulations. Here are some details to consider:

What is Penetration Testing?

Penetration tests and vulnerability tests act like stress tests to your network and connected devices to locate potential vulnerabilities. Penetration testing is sometimes referred to as ethical hacking, as it is an authorized simulated cyber-attack on a computer system to evaluate the security of the system. The NIST standards framework defines Penetration Testing as:

“a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyberattacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies.”

In addition to utilizing penetration testing, another valuable cybersecurity tool for any company is a network vulnerability scanner. This tool, rather than simulating an attack, runs autonomously to scan your whole network for common or known vulnerabilities and provides detailed reports to help you understand what risks to consider. Both tools are critical to protecting your network.

Is my business required to conduct Penetration Testing?

Different regulations have different requirements when it comes to security testing. For example, The General Data Protection Regulation (GDPR), which applies to organizations that handle personal information related to European citizens (as well as companies who do business with these entities), specifies that data security testing must occur, but does not detail what test to run or how often. Article 32 of GDPR requires:

a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

Another example is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which serves to assure security and data privacy of sensitive health information. HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers. According to HIPAA, these entities should:

“…perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

Other regulations like the NY SHIELD Act contain similar requirements around regular testing, but also do not specify what tests and how frequently companies should run those tests.

So, what does this all mean?

In short, the best offense is a good defense from both a security and compliance perspective.

While penetration testing may not explicitly be called out to check the box of GDPR, HIPAA, the NY SHIELD Act, or other cybersecurity and data security regulation compliance, businesses should view penetration testing as a tool to maintain a strong cybersecurity posture and help meet federal, state, local, and even customer security compliance requirements.

Stay Safe,

Your Friends @ Defendify

Resources & insights

Why You Could Be Denied Cyberattack Insurance Coverage
Why You Could Be Denied Cyberattack Insurance Coverage
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage and cybersecurity insurance requirements is sure to enter the discussion.
Cost of a Cyberattack vs. Cybersecurity Investment
Cost of a Cyberattack vs. Cybersecurity Investment 
Detailing the cost of a cyberattack versus the ROI of a cybersecurity investment enables leadership to see cybersecurity solutions are worth it.
Defendify Listed as a High Performer in Six G2 Grid Categories
Defendify Listed as a High Performer in Six G2 Grid Categories
The Defendify Cybersecurity Platform has been listed as a High Performer in six Summer 2022 Data Security Software Category Reports on the technology review site G2.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.