HackenProof Blog / Industry News / HackenProof: Run Bug Bounty Program To Become HIPAA Compliant

HackenProof: Run Bug Bounty Program To Become HIPAA Compliant

What is HackenProof?

HackenProof project specializes in providing cybersecurity services to businesses to detect vulnerabilities before black hat hackers can exploit them for malicious purposes. HackenProof’s researchers conduct penetration testing and organize professional bug bounty programs at the client’s request. HackenProof unites high-skilled ethical hackers from different corners of the world to serve our clients and protect them against any forms of digital threats. You may find more information about HackenProof, its customers and its performance in the following article.

 

What is a bug bounty program?

The bug bounty program is one of the security testing methods used by companies to detect and address vulnerabilities that provides for reaching ethical hackers and inviting them to report bugs in exchange for rewards. Companies can either run their own bug bounty programs or contact specialized platforms like HackenProof to this end. Compared to a pentest, a bug bounty program is a continuous security testing method and a client is free to set up his own program rules. You can find more info about bug bounty programs and their key features in the following publication.

 

Bug bounty program & end-to-end encryption

HIPAA regulation states that covered entities should “implement a mechanism to encrypt Protected Health Information (PHI) whenever deemed appropriate”. The main goal of encryption is to prevent unauthorized users from viewing PHI. The HIPAA regulation, generally, does not treat any safeguard measure as the only right tool that can be applied to protect PHI. That is why covered entities are free to decide what security measures to apply. HIPAA provisions were written with the understanding that new security technologies and methods would inevitably appear and a bug bounty program has become one of them. The entities that want to be fully HIPAA compliant need to focus on ensuring that patients’ private data are protected not only at the stage of transmission but 24/7 wherever they can be stored. In general, end-to-end encryption is just one of the tools used to protect transmitted information while only adequately performed security testing like the one carried out in the form of a bug bounty program can make entities fully eligible for getting HIPAA compliance status.

 

Bug bounty program & HIPAA compliance audit

The U.S. Department of Health and Human Services (HHS) carries out a periodical audit of covered entities and business associates for their compliance with HIPAA. The main aspects of HIPAA compliance are the adequate safeguarding of protected health information (PHI) and the implementation of the HIPAA Security Rule requirements for risk analysis and risk management. Under the Security Management Process standard in the Security rule, organizations are required to “implement policies and procedures to prevent, detect, contain, and correct security violations.” A bug bounty program is a process that provides for meeting all these objectives since white hat hackers not only detect vulnerabilities but also inform entities on how to fix them and then test fixes. 

To become eligible for getting the status of HIPAA compliant organizations also need to assess the level of potential threats to their information systems containing e-PHI. A bug bounty program is a process by running which companies may get an understanding of the scope of security risks in a documented form (reports). Thus, the completion of a bug bounty program will serve as the confirmation of the entity’s focus on security assurance. However, before allowing independent researchers to work on detecting vulnerabilities the entity has to separate the testing environment from the networks containing PHI since in the case-independent researchers access these data, the entity will become the violator of HIPAA.

 

How much can companies save by running bug bounty programs?

Entities failing to adhere to HIPAA standards face financial penalties and are forced to address issues by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Penalties are imposed on covered entities to ensure that they are held responsible for certain actions or their absence. The sum of the penalty depends on the seriousness of the violation. In most cases, entities become the violators of HIPAA due to risk assessment failures. The sum of financial fines imposed on covered entities ranges between $100 and $50,000 but for critical violations, these figures may be much higher. When an entity can prove that a reasonable amount of care has been contributed to abide by HIPAA rules, then the sum of financial penalty will be minimal or authorities may even decide not to impose any punitive measures. 

In January 2021, the Lifetime Healthcare Companies, including its affiliates Excellus Health Plan have agreed to pay a $5.1 mln fine for the failure to prevent the data breach affecting 9.3 mln people caused by unauthorized access to the information systems from the side of cybercriminals. The organization has also agreed to implement a corrective action plan. In October 2020, Aetna Life Insurance Company and affiliated covered entity (Aetna) has agreed to pay a $1 mln fine for the failure to guarantee the protection of clients’ data. The plan-related documents displayed on two web services to health plan members could be accessed without login credentials. In September 2020, Orthopedic Clinic paid a $1.5 mln fine for non-compliance with HIPAA. In 2016, a malicious actor accessed the entity’s electronic medical record system and stole data belonging to more than 200K patients. According to the results of the investigation, the data breach was caused by the entity’s failure to conduct regular risk analysis, implement risk management, and perform regular audit controls.

If the above-mentioned entities had run regular bug bounty programs, they would have avoided these huge penalties or at least faced much lower fines. The more efforts entities contribute to strengthening their security, the lower their chances to be affected by data breaches and, thus, face huge financial penalties.

 

How much do you need to spend on a bug bounty program?  

Companies can decide to run their own bug bounty programs or contact professional platforms to order the organization of this security testing process. When companies run their own bug bounty programs, then their total cost equals the sum of financial remuneration paid to ethical hackers for revealed vulnerabilities. Depending on the severity of the bug detected, the remuneration paid to independent researchers may range between a few hundred USD and a few thousand USD while for very critical vulnerabilities this figure may be even much higher. The cost of running a bug bounty program on professional platforms varies among vendors. Also, apart from paying ethical hackers for detected bugs, companies have to cover subscription and bug fees. In most cases, the total budget of a bug bounty program for a middle-sized entity starts from $10,000-$20,000. However, companies are free to determine the level of financial remuneration provided to researchers for detecting different types of vulnerabilities. For a better understanding of the bug bounty program pricing mechanism, you may view the subscription plans of one of the leading bug bounty platforms – HackenProof. Whatever the subscription plan you select, the cost of a bug bounty program for an entity is much lower compared to possible financial penalties imposed under HIPAA for the organization’s failure to guarantee the ultimate protection of patients’ information.