Penetration Testing for Compliance: The Top 5 Laws and Regulations that Require Testing
Penetration testing is one of the most effective measures a company can take to improve its corporate vulnerability assessments. In a penetration test, a qualified expert attempts to scale the cybersecurity wall a company has built. In the process, the penetration tester discovers where the weak spots are in a company’s security plan. Some people call penetration testing “white hat hacking.” Essentially, you’re hiring a good guy to act like a bad guy in hopes of beating that bad guy at his own game. For companies, penetration testing offers two important benefits — security and regulatory compliance.
Rising cybercrime, such as the Equifax breach, has affected millions of Americans who now insist on knowing that companies will keep their data secure. And government regulators are happy to help them do it by penalizing companies that do not comply with federal guidelines.
Today, cybersecurity means more than a badge on the website to assuage customer fears. It also means staying on the right side of the law. Companies in highly regulated industries such as healthcare, retail, and financial services now need cybersecurity experts who can provide penetration testing guidance in order to keep their businesses compliant with ever-tightening security regulations.
Top Five Laws and Regulations that Require Penetration Testing
1. Medical Device Manufacturing
Networked medical devices that operate within the Internet of Things (IoT), often referred to as the Internet of Medical Things (IoMT), can save healthcare professionals time and money. Plus, these medical tools benefit patients and their families in countless ways. Unfortunately, IoMT devices also make it easy for black hat hackers to crack their way into reams of valuable information as well as engage in acts of malice such as reprogramming pacemakers or draining the batteries in life-saving machines. Unsecured medical devices can even leave entire systems vulnerable to eager hackers. Healthcare records are high-value targets for cybercriminals, selling for up to $1,000 a record as opposed to less than a dollar for some social security numbers.
The Food and Drug Administration (FDA)’s medical device penetration testing regulations are piling up as the agency struggles to keep pace with the evolution of medical technology and advances in cybersecurity. Experts predict the medical device market will grow 30% by 2025. Even in this fast-accelerating environment, just about half of medical device manufacturers actually follow FDA guidelines for reducing security risks. Unfortunately, this attitude can lead to serious consequences.
For example, a data breach that results in HIPAA (Health Insurance Portability and Accountability Act of 1996) violations can lead to heavy fines, and FDA crackdowns are on their way. In late 2018, the Department of Health and Human Services Office of the Inspector General (IG) critiqued FDA procedures in assessing post-market cybersecurity risk to medical devices. The office wanted “to ensure there is a reasonable assurance that medical devices legally marketed in the United States are safe and effective for their intended uses.”
2. Healthcare Delivery
HIPAA laws govern medical privacy in the U.S. Not only does HIPAA prevent your doctor from sharing information about your health with other people, but it also mandates how healthcare organizations protect medical records. At HIPAA’s inception in 1996, most records consisted of paper files. Stealing those would take a crowbar and physical presence in the physician’s office. Today, those same records sit on servers and in clouds where hackers can gain access from across international borders.
HIPAA Evaluation Standard § 164.308(a)(8) specifically speaks to the safety, privacy, and electronic exchange of medical information. Its penetration testing requirements allow technical and non-technical evaluations of security through white hat hacking when deemed reasonable and appropriate. Regardless of the evaluation performed, healthcare providers must regularly test data security or face fines ranging from $100 to $50,000 per record compromised.
3. Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard (PCI DSS) serves as the information security standard for organizations that handle branded credit cards, including Visa, Mastercard, American Express, and Discover. One of PCI DSS’ 12 requirements is regular network monitoring and testing. As part of that requirement, the standards differentiate between vulnerability scans and penetration tests, though it requires both. To maintain penetration testing compliance, companies must complete a pen test at least once every six months, although many experts believe a quarterly test is more congruent with actual needs.
4. Technology Service
The American Institute of CPAs developed SOC 2 as a way of ensuring that technology service organizations uphold its five standards of security, availability, processing integrity, confidentiality, and privacy. SOC 2 is flexible, allowing each organization to define its own controls, but to gain SOC 2 certification, organizations must pass an external audit. SOC 2 requires penetration testing to verify control implementation effectiveness every six months. Like PCI DSS, however, quarterly tests can make sure an organization is secure, not just compliant.
5. Financial Industry Regulatory Authority (FINRA)
FINRA establishes the cybersecurity rules for financial organizations such as securities firms. As a nonprofit organization, it helps companies meet The Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format. The organization expects members to appropriate the elements of a strong penetration testing program through regularly rotating contracts with third-party cybersecurity agencies that take a risk-based approach to determining vulnerability and evaluating security.
Both consumers and agencies are growing increasingly concerned about the threats that cyber-insecurity may pose to financial, retail, healthcare, personal, and national security. Hence, both public and private regulatory agencies are establishing new guidelines and requiring increased testing in order for member companies to remain compliant. For cybersecurity professionals, a career in penetration testing can help these organizations stay on top of their security measures and spot any potential weaknesses in the cybersecurity perimeter.