Internal & External Penetration Testing

Internal & External Penetration Testing

Many organizations make assumptions regarding the security and integrity of their IT systems and network without ever confirming that these assumptions are valid. 

Oftentimes it is not until an actual security incident exposes security risks and tests the response capabilities, and by then it is too late to prevent damage to the organization.

Penetration testing, also sometimes referred to as ethical hacking, is terminology used by members of the information technology security community to describe an authorized assessment that simulates the activities a hacker or malicious insider might carry out.

Such testing provides the closest thing to real-life attack scenarios.

Ethical hacking is security testing where a “white hat” ethical hacker poses as a “black hat” bad guy hacker to identify weaknesses in the security features of an application, system, or network. Performing a penetration test can help identify the current state of an organization’s security posture and actual technical risk exposures to support the prioritization of remediation activities.

A common misconception is that a vulnerability scan is the same as a penetration test. A white hat hacker will run a vulnerability scan to identify potential security gaps and then will attempt to exploit those vulnerabilities. A vulnerability scan on its own is insufficient to uncover risks.

Assessment Methodology

Meditology’s certified ethical hackers conduct assessments using tools tested in healthcare environments to uncover security exposures that could lead to a data breach. The engagement team simulates a wide range of real-life scenarios to mimic the perspective of an uninformed outside hacker.

Typical assessments consist of several phases where each phase builds upon the previous phase:

Internal & External Penetration Testing

A typical penetration testing assessment may take several weeks to complete depending on the size of the organization and includes both external (malicious outsider) and internal (malicious insider) testing assessments.

Meditology provides a detailed report outlining the tests conducted, the security weaknesses exposed, and corrective actions.

External Penetration Testing

External penetration testing examines the external systems for any weakness that an attacker could use to disrupt the confidentiality, availability or integrity of the network. Meditology conducts external penetration testing from the viewpoint of an outside attacker (from the Internet) exploiting a weakness in the security of a public-facing network or application.

An external penetration test involves both vulnerability scanning and manual testing to determine what information your organization is exposing to the outside world.

The external assessment can simulate:

•   A hacker targeting systems from the Internet
•   A competitor or foreign entity targeting your organization

Internal Penetration Testing

Internal penetration testing examines the security surrounding internally connected systems, typically within a corporate network.

An internal assessment involves finding and exploiting actual known and unknown vulnerabilities from the perspective of an inside attacker or someone with physical or logical access to the internal network. An internal assessment attempts to breach the target as a user with varying levels of access.

The internal assessment can simulate:

•   A malicious employee or malevolent contractor
•   A hacker who gains physical access to a network port or computer

How Often Should We Conduct a Penetration Test?

There are really no specific rules regarding when and how often an organization should conduct a penetration test. Testing frequency is based on many factors such as regulatory compliance obligations, the value of the information needing protection, the objectives and type of security problem under assessment, major changes to the environment, the size of the organization, and the type of support and budget for these activities.

You can use the following guidelines to determine how frequently to conduct penetration testing:

•   If you have never conducted a penetration test and want to protect valuable assets, conduct a comprehensive test as soon as possible.
•   If you have conducted your first penetration test, plan to conduct penetration tests annually or after any major infrastructure change.
•   If a penetration test identifies critical vulnerabilities, retest after remediation is complete.
•   If you conduct a security risk assessment, conduct a penetration test at the same time.
•   If you want to address specific security concerns, schedule targeted penetrations tests either quarterly or semiannually.


  • Ranked #1 Best in KLAS for Cybersecurity Advisory Services in 2019 and 2020
  • HIPAA expert witness firm for OCR
  • Experienced CISOs and Privacy Officers
  • Dedicated to healthcare
  • Hundreds of clients coast to coast
  • Advisors to ONC / HHS