Penetration and Vulnerability Testing

Guidance

While HIPAA does not have a specific requirement with regard to penetration and vulnerability testing, it is a requirement that comes up regularly in security assessments performed by health systems. Frameworks such as HITRUST CSF also require it. Penetration / vulnerability tests should be performed on a regular basis, especially when major changes are deployed.

We recommend that you utilize the service of an outside vendor, contractor, or internal security team to perform any penetration / vulnerability tests of your entire stack, running on top of the Healthcare Blocks platform. These resources can work closely with your development resources to address any issues, which typically exist in the Web interfaces of your applications. 

Restrictions

The following activities are prohibited:

- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
- Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)

Rate Limits

To ensure your testing is successful, please limit your scanning to 1Gbps or 10,000 RPS.