Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

What to Do If a Client or Auditor Asks for a Pen Test

Sep 12, 2022

If your organization handles sensitive information, you may encounter a client, security auditor, or third party asking for a copy of your most recent penetration test. This test, otherwise known as a pen test, is a cybersecurity technique organizations use to identify, test, and mitigate vulnerabilities in their security posture. The in-house employees or third parties performing the test mimic the strategies of hackers to evaluate the susceptibility of an organization’s systems, network or applications. 

Due to the comprehensive nature of a pen test’s evaluation and findings, anyone with a copy of the test’s results has an in-depth guide to how your organization can be hacked. So is it safe to share this information with a third party? Let’s find out.

What clients and auditors are looking for

It’s common to receive audits or security questionnaires from third parties. If it’s a simple questionnaire, you may just have to check a box attesting that you have security policies and procedures in place, or that you’ve performed a pen test. But some parties may ask to see a copy of your policies and procedures, pen test findings, or other forms of documentation which reveal confidential information about your organization. 

We talked to a few HIPAA and cybersecurity experts to hear their insights into what organizations should do when confronted with this type of scenario. Total HIPAA Chief Compliance Officer Jason Karn said “I’m okay with sharing Policies and Procedures as long as there is an NDA in place. Though, I’d prefer to only share a summary.” 

But even a summary contains sensitive information. “If you know the firewall device,” Karn said, “then you can test any known vulnerabilities, and it can be an easy way into a network.” That’s why he recommends following the minimum necessary rule, and releasing the minimum amount of information the other party will accept. Always offer a summary first, and only release copies of your full policies and procedures if absolutely necessary.

Business confidentiality

In general, organizations handling PHI and other sensitive information should follow the minimum necessary rule when it comes to granting others access. David Smith, Vice President of Compliance for Ebenconcepts and a Total HIPAA Key Contributor, said:

“I do think there is a cautionary point about sharing too much detail – one of the things I’m running into is folks having very good “general” policies and procedures, but the requestor asking for much greater operational details. There’s a point where business confidentiality must play a big role in the nature of the response.”

This is why it’s important to find ways you can satisfy a third party auditor’s request while still observing the minimum necessary rule. If a third party auditor is asking for a pen test, Karn says, proceed with caution:

“It’s my opinion that a full pen test report should not be shared,” he said. “That’s a roadmap into someone’s system, and how do you know that the company you’re sharing the information with is secure? They should have a pen test executive summary, that would be more appropriate for sharing.” 

There are, however, alternative solutions. If a third party auditor insists on seeing policies and procedures, or the pen test report, Karn suggests following these protocols:

“If the group insists on seeing the full report, they can do it via screen share, or potentially invite them to come review it on premises,” he said. “They need to maintain full control of this report since it has such sensitive information.”

By taking a tactical approach to outside parties’ access to confidential information, you keep your organization and your clients or employees safe. Following these practices is key to organization security.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?
Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch.

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2022

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

Is Gmail’s Confidential Mode HIPAA Compliant?

Is Gmail’s Confidential Mode HIPAA Compliant?

Gmail is exceedingly popular among email users for both personal and business purposes — and for good reason. It’s the second most widely-used email platform, after Apple Mail. It’s well run, user...

Five Key Takeaways from Our July Webinar

Five Key Takeaways from Our July Webinar

We recently hosted a webinar, “Annual HIPAA Requirements and Security Standards,” in which we discussed annual HIPAA requirements, document review, and the compliance procedures you need to have in...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)

[el.selectedIndex]
[el.selectedIndex]
[fieldObj.selectedIndex]
[fieldObj.selectedIndex]
[el.selectedIndex]
[el.selectedIndex]
[fieldObj.selectedIndex]
[fieldObj.selectedIndex]
[el.selectedIndex]
[el.selectedIndex]
[fieldObj.selectedIndex]
[fieldObj.selectedIndex]