25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is CIS Critical Security Control 18 in Healthcare?

Posted By on Feb 8, 2024

CIS Critical Security Control 18 in healthcare – often abbreviated to CIS CSC 18, or CIS Control 18 – is the Center for Internet Security’s control for identifying weaknesses and vulnerabilities in an organization’s networks, devices, systems, and applications via penetration testing. In a healthcare environment, CIS Control 18 can help organizations better defend Protected Health Information against both internal and external threats.

The CIS Critical Security Controls consist of eighteen sets of safeguards designed to resist the most common types of cyberattacks. Each set of safeguards contains up to fourteen recommended best practices depending on the nature of the Control. For example, CIS Control 3 (Data Protection) has fourteen safeguards, whereas CIS Control 18 (Penetration Testing) has just five safeguards.

The eighteen sets of safeguards are not intended to be a security compliance checklist, but rather “the backbone of an effective cybersecurity ecosystem”. The Controls are sufficiently flexible to allow organizations to prioritize different Control sets – or safeguards within Control sets – depending on their business models and the economic, human, and technological resources available to them.

In the healthcare industry, most organization will already have many of the safeguards implemented in order to comply with the HIPAA Security Rule (i.e., access controls, encryption, incident response procedures, etc.). However, because the HIPAA Security Rule does not require penetration testing, this important security control is sometime overlooked by healthcare organizations.

What Does Penetration Testing Consist Of?

Penetration testing can take many different formats depending on an organization’s exposure to the Internet. For example, an organization that provides an interactive patient portal which is connected to its EHR systems should conduct more thorough penetration testing than an organization with a minimal web presence. CIS Critical Security Control 18 in healthcare consists of five safeguards:

  • 1: Establish and Maintain a Penetration Testing Program
  • 2: Perform Periodic External Penetration Tests
  • 3: Remediate Penetration Test Findings
  • 4: Validate Security Measures
  • 5: Perform Periodic Internal Penetration Tests

The five safeguards can be used for different purposes. It might be the case that an organization wants to test the resiliency of specific web applications, or use penetration testing to demonstrate system vulnerabilities to decision makers – in which case, repeat penetration testing can also be used to justify (“validate”) the cost of establishing and maintaining a penetration testing program.

In the context of CIS Critical Security Control 18 in healthcare, it is important to understand the difference between vulnerability testing (CIS Control 7) and penetration testing. Vulnerability testing checks for presence of known weaknesses and stops there. Penetration testing goes further to exploit weaknesses to see how far an attacker could get, and what processes or Protected Health Information might be impacted through the exploitation of a weakness.

How to Find Out More about CIS Critical Security Control 18 in Healthcare

Independent penetration testing can provide valuable insights into the existence of weaknesses in the application of the other CIS Controls – or, in the case of healthcare organizations, in the application of implementation specifications to comply with the HIPAA Security Rule. In some cases, penetration testing can also identify process weaknesses such as poor configuration management or security training.

Organizations can find out more about CIS Critical Security Control 18 in healthcare by speaking with a compliance professional in the data security sector. Because penetration testing should be an ongoing exercise, most vendors offering remote penetration testing (PTaaS) are happy to offer a free trial of their software to demonstrate its effectiveness. However, organizations are advised to evaluate several options in their own environment before committing to a long term subscription.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist