What is Penetration Testing?
Penetration testing helps you to locate weaknesses in your applications and/or network, utilizing the same methods and techniques that a potential intruder would use in a real-work scenario: utilizing scanners, exploits and manual attacks. To put it in simple terms – we hack you before the bad guys do. Only a penetration test can simulate what would happen if an intruder were to attack you and can verify the controls you have in place for your HIPAA security compliance. This is often conducted as part of your required HIPAA Risk assessment. Technically testing the controls and policies you have put in place helps to satisfy this requirement. Just simply having policies with out testing them does nothing. The goal of a penetration test is to ultimately obtain unauthorized access and/or to retrieve sensitive data, such as ePHI that no one should have access to.
Why is it important?
It will help you to determine what the security risks are in your application or network that could potentially allow intruders to gain access to ePHI and allow you to minimize the risk involved. It’s better that you find the problem before someone else does and takes advantage of it.
What information do we receive when it’s complete?
We provide your organization a full report that will contain a full, complete assessment of our findings; their potential impact and a information for you to review to aid in mitigating the potential threats to your application and/or network. It will give you an excellent starting point to determine where your security posture currently stands in regards to your HIPAA & HITECH security compliance. Depending on the target, this process can take anywhere from 7-30 days. This isn’t an automated process; it takes some time to gather and validate our findings.
Who needs a penetration test?
Any business that may be concerned with their overall HIPAA & HITECH security posture; especially anyone that needs to be HIPAA compliant, and/or to meet other regulatory standards for your data and networks. This includes business associates and their business associates and all vendors that they use.
Penetration Testing Packages
The packages vary by hours spent testing, and all our penetration packages include both automated and manual testing. Once we have a testing agreement in place, one of our principal security consultants will be in touch within 1 business day to obtain your testing target details & information. Our plans include the following as part of the service:
- Internal Network Scanning*
- System Fingerprinting & Port Scanning*
- Services Probing*
- Vulnerability Testing and Manual Verification
- Configuration Weakness Testing and Verification
- Full public facing Application Layer Testing
- Firewall and ACL Testing*
- Administrator Privileges Escalation Testing
- Password Testing
- Network Controls Testing*
- Database Security Testing
- Scan for Known Malware
*Not applicable for 3rd party hosted solutions or simple web applications
We offer three levels of testing and pricing is based on an initial review of the requirements. The pricing ranges from 800.00 to over 20,000 but will vary depending upon your needs. All of the packages below can be customized to fit your exact needs.
Tier 1– This service is recommended for smaller organizations operating only a public website that might include a CMS system or e-commerce storefront. Testing includes evaluation of the security of web application and the sever it resides on where possible (may be an issue on shared hosting accounts if you are using a 3rd party solution).
Tier 2– Recommended for small- to medium-sized organizations of 5 to 50 employees with internal file and email servers, workstations, wireless networks, laptops, biometrics, printers/scanners and mobile devices, as well as the network infrastructure such as routers and firewalls. This is for a single, physical location. This will often times include the services for remotely hosted web applications that you own (from the “Basic” package).
Tier 3 – In addition to the above, this testing expands the vulnerability assessment and penetration test to include your physical controls such as cameras and locks, 3rd-party cloud services such as AWS (Which will require their permission as well). This addresses the needs of organizations that require a more in depth look at their security because they utilize more technology. This can also include a 2 physical location and may involve social engineering and phishing attacks.
All of our penetration testing is done by professional, certified ethical hackers that hold a minimum of the 3 following certifications related to security. They have also taken additional courses and continually review HIPAA & HITECH standards to make sure that their testing covers the appropriate areas. This means that they must adhere to a very high ethical standard:
- CEH (Certified Ethical Hacker)
- CHFI (Computer Hacking Forensic Investigator)
- OSCP (Offensive Security Certified Professional)
- OSWP (Offensive Security Wireless Professional)
- CISSP (Certified Information Systems Security Professional)
When you’re ready to move forward with a penetration test – start the process by contacting us and letting us know that you’re interested.