23Tem
How does a pentesting engagement change under HIPAA?
I am a intermediate pentester who will soon be conducting a engagement with a hospice. This is my first engagement with a network where HIPAA is involved, and I am researching how this may affect my statement of work. My research so far has only turned up Google-SEO-optimized copywriting garbage, but I will keep looking. How is the workflow different from a pentest with no HIPAA-protected information?
- Can I still use tools such as nmap or popular Github scripts such as WinPEAS/LinPEAS? These are technically third party scripts that I haven't read the source code of (even though I trust them).
- Are there certain common actions I am forbidden from doing? Are there extra actions I need to make sure I do?
- Is there any important changes in operation that I haven't described here?
I know this isn't official legal advice.