The Department of Health and Human Services (HHS) wants to raise the benchmarks of the Security Standards for the Protection of Electronic Protected Health Information. HHS has therefore issued a notice of proposed rulemaking (NPRM) in order to hear feedback on the proposal itself.
This response specifically addresses Chapter V: Regulatory Impact Analysis > Sub-Chapter A: Executive Order 12866 and Related Executive Orders on Regulatory Review, focusing on:
- Section 2: Baseline Conditions > Analytic Assumptions
- Section 3: Costs of the Proposed Rule > Sub-Section H: Costs Related to Regulated Entities Conducting Penetration Testing.
To push back against the assumptions of the NPRM, we will be using the standards set forth in the Penetration Testing Execution Standard (PTES), as well as insights drawn from decades of hands-on experience in the field. Additionally, while the constituent parts of the PTES may be expanded or consolidated, or vary by label across organizations, depending upon what is being tested, none of these steps should be lightly omitted altogether. That is to say, a high-quality penetration test by any other name will still adhere to the benchmarks set forth in the PTES.
Key Points of Concern
- The NPRM greatly underestimates the amount of time and effort needed for a thorough penetration test.
- Roughly 75% of the regulated entities are small to medium size businesses, and an estimated 90% of healthcare providers are small businesses. The NPRM misrepresents the costs to these organizations, which cannot afford the $250,000 annual price tag associated with the average Information Security Analyst (ISA).
-
1. A penetration test takes much longer than 10 hours to perform.
The HHS estimates that each regulated entity would spend an average of 3 hours conducting penetration testing, with a range of 2 to 10 hours. They assume a cost of $120 an hour, based on a “fully loaded” ISA salary of $60 an hour. HHS states an expectation of a high variability in effort between entities depending on their size and technological sophistication, but our comment is that these assumptions are still far below industry norms.
Penetration Testing Hourly Estimates
The table below outlines the estimated time requirements for manual testing of an internal and external network penetration test for small, medium and large environments based on real world engagements.
|
Task |
Small Scope |
Medium Scope |
Large Scope |
|
Planning (Reconnaissance) |
4 |
8 |
12+ |
|
Planning/Discovery1 (Intelligence Gathering / System & Service Mapping) |
4 |
8 |
12+ |
|
Discovery/Attack (Vulnerability Analysis / Threat Modeling & Exploitation) |
8 |
8 |
12+ |
|
Discovery (Additional Reconnaissance) |
4 |
8 |
12+ |
|
Planning/Discovery |
4 |
8 |
12+ |
|
Attack/Additional Discovery (Exploitation / Post-Exploitation) |
4 |
8 |
12+ |
|
Reporting (Draft) |
8 |
8 |
12+ |
|
Reporting (Review/Finalization) |
4 |
8 |
10+ |
|
Total Time (hours) |
40 |
64 |
94+ |
1 - Consider that the process from Discovery to Post-Exploitation is cyclical, meaning findings can result in additional iterations of discovery-analysis-planning-attack testing phases which may add degrees of complexity and time. The assumption that penetration testing is a quick process underestimates the challenges of today’s healthcare environments, which often include custom applications, highly sensitive data, and legacy systems that require detailed and methodical testing.
-png.png?width=1200&height=750&name=Untitled%20design%20(6)-png.png)
-
2. Most regulated entities may not be able to afford an Information Security Analyst (ISA).
From the Analytic Assumptions subsection, in the first paragraph, HHS seems to have thoroughly considered the wages of an ISA on staff. The wage seems fair and "fully loaded" to include taxes, insurance, benefits, etc. According to HHS, an ISA on staff will cost a regulated entity roughly $250,000 per year. While this may be a reasonable assumption for large institutions, it does not reflect the reality for small and mid-sized healthcare providers, which make up the majority of covered entities. Many rural doctor’s offices and small healthcare facilities lack dedicated security staff and instead rely on third-party providers for IT and security. These firms typically charge higher hourly rates than an in-house ISA and pass the cost on to the doctor's office. Assuming roughly 90% of healthcare providers and 75% of covered entities find themselves in the position of outsourcing their IT needs, the NPRM is no longer a useful proposal for most of the organizations for which it was written.
Final Thoughts
Secure Ideas, LLC has been in business for 15 years and is a firm of Security professionals with decades upon decades of combined experience in penetration testing and security consulting. The HHS is proposing a well-intended and overdue change to the security rule. However, the proposed changes do not accurately represent realistic time estimates and the real-world financial burden on small and medium sized businesses, for which the rules are written. Under the proposed changes, regulated entities will spend much longer than 2 to 10 hours on a penetration test, and they will pay more than $120 per hour for that effort. The financial impact, as represented in the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” is only realistic for a minority of the covered entities. Again, we support the proposed penetration testing requirements, but our profession calls for high ethics and transparency that compel us to speak up on this matter.
The writers behind this blog, David Card, Giovanni Cofré, Kathy Collins, and Pablo Vergara bring decades of combined experience in penetration testing and cybersecurity. As experts at Secure Ideas, they provide invaluable insights into the real-world challenges healthcare organizations face in securing electronic protected health information. Stay tuned for more thought-provoking articles from these seasoned professionals!
Schedule a call today to learn more about how we can work within your existing processes to improve your security posture.
