Answering the Age Old Question

True or False: Are penetration tests and vulnerability scans one in the same?

If you answered “False” you are correct, however, it can be difficult to understand the difference between the two information security services. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.

Before defining the two services, let’s start with an analogy from one of our certified audit support team members. Think of a vulnerability scan as walking around the house rattling doorknobs and pushing on windows to see if they are unlocked or open. These easy security items, much like locking the garage’s back door or basement window, can help ensure your house is secure. A penetration test would be entering into your home through an open window or unlocked door to emulate a burglar breaking in. By completing this exercise, you could expose security vulnerabilities before someone with bad intentions may take advantage.

Penetration Tests

A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.

HIPAA One offers penetration testing and ongoing threat management solutions and tools through our trusted partner, TwelveSec. By partnering with TwelveSec, we are able to provide a wide array of services designed to manage threats against your network including: Assurance Services, Security Management Services and Information Security Training Services.  HIPAA One also offers free, unlimited post-remediation verification for any risks discovered during the Penetration Testing project. For additional information, click here.

Vulnerability Scans

Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks and communications equipment. Vulnerability scans are configured for safe checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS).  A free example of a vulnerability scan can be found at and focuses on encryption and certificate exchange.

There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.

HIPAA One includes a Nessus Professional Feed vulnerability scan with each HIPAA security risk analysis software license. Using Nessus Professional Feed, HIPAA One will run a vulnerability scan on external IP addresses during the course of the HIPAA security risk analysis. For more information or to get started, Contact Us today!



HIPAA & Email

Special Note: This is the second blog in a 3-part series focusing on HIPAA and patient communication.  Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to … [Continue reading]

Utah Hospital Aftermath: What Police Precincts Need to be Doing

Recently, like many Americans, we watched events unfold at a Utah based hospital between a police officer and hospital nurse. Being that our office is based in the Salt Lake City area, the incident hit close to home both literally and figuratively. … [Continue reading]

HIPAA & Texting

Special Note: This is the first blog in a 3-part series focusing on HIPAA and patient communication. Keep checking back for upcoming blogs focusing on email and voicemail. In recent years, a great number of medical practices have embraced text … [Continue reading]

What You Need to Know about the Newly Updated HHS Breach Tool

As part of their commitment to providing greater transparency to consumers, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently launched their revised web tool designed to highlight important breach … [Continue reading]

2017 HIPAA Breach Stats: Where Are We At?

Now that the first half of the year is behind us, how is the healthcare community faring? Will the data breaches of this year surpass previous years, leaving entities scrambling and millions of patients left vulnerable? Let’s take a look at the … [Continue reading]

Your HITRUST Certified Practitioner

If your organization is looking to get HITRUST certified and complete a Security Risk Analysis, look no further than HIPAA One. We’ve added to our service offerings to assist with your HITRUST needs! As the first member of our team to become a … [Continue reading]

Small Medical Practices and Cyber Attacks

Recently one of our good friends and healthcare blogger, John Lynn of EMR & HIPAA wrote a blog on why small medical practices are at great risk for a cyber attack and we couldn't agree more. Too often small medical practices operate day to day … [Continue reading]

Updates to our Microsoft Windows 10 Whitepaper

In February, we released a whitepaper co-authored with Microsoft which reviewed how Windows 10 can be used as a compliant operating system for healthcare organizations. If your workplace uses and/or plans to upgrade to Windows 10 Enterprise and … [Continue reading]

Penetration Testing & Patient Portals

As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident at a Frisco, TX-based healthcare services company, True Health Diagnostics is any indication, then the answer is a resounding “yes.” PHI … [Continue reading]