While HIPAA does not have a specific requirement with regard to penetration and vulnerability testing, it is a requirement that comes up regularly in security assessments performed by health systems. Frameworks such as HITRUST CSF also require it. Penetration / vulnerability tests should be performed on a regular basis, especially when major changes are deployed.
We recommend that you utilize the service of an outside vendor, contractor, or internal security team to perform any penetration / vulnerability tests of your entire stack, running on top of the Healthcare Blocks platform. These resources can work closely with your development resources to address any issues, which typically exist in the Web interfaces of your applications.
Healthcare Blocks Security Testing Services
Healthcare Blocks also offers penetration and vulnerability testing at a cost of $150 per hour. Please create a help desk ticket with the URLs and/or server IP addresses you'd like to test, and we'll provide you with an estimate.
Penetration Testing Requires Approval by AWS
If Healthcare Blocks is performing your testing, you can skip the following section, since we'll take care of the authorization step. Otherwise, your testing vendor should review the following details.
AWS, our infrastructure provider, requires authorization of penetration tests. Vulnerability tests do not require approval if they do not attempt to probe ports. If you'd like additional information, go here.
Penetration test requests are submitted by us on your behalf and require the following pieces of information, to be submitted through the help desk.
1. Machines to be Scanned (Target)
2. Scanning IP addresses (Source)
3. Total Bandwidth (expected Gbps)
4. Peak Requests Per Second
5. Start Date and Time
6. End Date and Time
7. Contact Info of Person Responsible for Testing (including email and phone number)
You are NOT limited in your selection of tools or services to perform a security assessment of your AWS assets. However, you ARE prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such against ANY AWS asset, yours or otherwise. Prohibited activities include, but may not be limited to:
- Protocol flooding (eg. SYN flooding, ICMP flooding, UDP flooding)
- Resource request flooding (eg. HTTP request flooding, Login request flooding, API request flooding)
Testing is not authorized until Healthcare Blocks notifies you that AWS has approved the request. Authorization by AWS can take up to 48 business hours.