If your organization handles sensitive information, you may encounter a client, security auditor, or third party asking for a copy of your most recent penetration test. This test, otherwise known as a pen test, is a cybersecurity technique organizations use to identify, test, and mitigate vulnerabilities in their security posture. The in-house employees or third parties performing the test mimic the strategies of hackers to evaluate the susceptibility of an organization’s systems, network or applications.
Due to the comprehensive nature of a pen test’s evaluation and findings, anyone with a copy of the test’s results has an in-depth guide to how your organization can be hacked. So is it safe to share this information with a third party? Let’s find out.
What clients and auditors are looking for
It’s common to receive audits or security questionnaires from third parties. If it’s a simple questionnaire, you may just have to check a box attesting that you have security policies and procedures in place, or that you’ve performed a pen test. But some parties may ask to see a copy of your policies and procedures, pen test findings, or other forms of documentation which reveal confidential information about your organization.
We talked to a few HIPAA and cybersecurity experts to hear their insights into what organizations should do when confronted with this type of scenario. Total HIPAA Chief Compliance Officer Jason Karn said “I’m okay with sharing Policies and Procedures as long as there is an NDA in place. Though, I’d prefer to only share a summary.”
But even a summary contains sensitive information. “If you know the firewall device,” Karn said, “then you can test any known vulnerabilities, and it can be an easy way into a network.” That’s why he recommends following the minimum necessary rule, and releasing the minimum amount of information the other party will accept. Always offer a summary first, and only release copies of your full policies and procedures if absolutely necessary.
In general, organizations handling PHI and other sensitive information should follow the minimum necessary rule when it comes to granting others access. David Smith, Vice President of Compliance for Ebenconcepts and a Total HIPAA Key Contributor, said:
“I do think there is a cautionary point about sharing too much detail – one of the things I’m running into is folks having very good “general” policies and procedures, but the requestor asking for much greater operational details. There’s a point where business confidentiality must play a big role in the nature of the response.”
This is why it’s important to find ways you can satisfy a third party auditor’s request while still observing the minimum necessary rule. If a third party auditor is asking for a pen test, Karn says, proceed with caution:
“It’s my opinion that a full pen test report should not be shared,” he said. “That’s a roadmap into someone’s system, and how do you know that the company you’re sharing the information with is secure? They should have a pen test executive summary, that would be more appropriate for sharing.”
There are, however, alternative solutions. If a third party auditor insists on seeing policies and procedures, or the pen test report, Karn suggests following these protocols:
“If the group insists on seeing the full report, they can do it via screen share, or potentially invite them to come review it on premises,” he said. “They need to maintain full control of this report since it has such sensitive information.”
By taking a tactical approach to outside parties’ access to confidential information, you keep your organization and your clients or employees safe. Following these practices is key to organization security.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.