Ethical Analysis in Penetration Testing
With the development of generative AI, cyber attacks on infrastructure increased significantly in recent years. For sensitive infrastructures, especially in public medical institutions, penetration testing is more and more important. In healthcare, penetration testers must pursue system security without endangering the patients and institutions they aim to protect. Ethical testing depends on informed authorization, proportional thoroughness, and respect for privacy and operational safety. Therefore, the balance lies in maximizing vulnerability discovery while minimizing patient risk, privacy breaches, and legal or ethical violations.
First, the testers should respect the privacy of both patients and the institutions. Patient data is sensitive. Mishandling it can break trust and ethics even during testing. The 2016 St. Jude Medical case, where cybersecurity firm MedSec publicly announced pacemaker vulnerabilities through a hedge fund partnership for financial gain without proper disclosure [@elizastricklandExpertQuestionsClaim2016], illustrates how security testing that ignores ethics and patient privacy can cause public panic and distrust despite unproven risks. The premature public disclosure endangered patients who still relied on unpatched devices, which can be exploited to cause real harm. Because the researchers prioritized exposure and profit over coordination, patients’ safety and the company’s reputation were threatened. Therefore, ethical penetration testing in healthcare requires strict confidentiality agreements and coordinated disclosure, balancing transparency with reputational ethics.
Apart from jeopardizing reputation and privacy, testers should avoid real harm and prioritize patient safety and operational continuity. Over-aggressive testing can cause real downtime and threaten patient safety. One scenario is that during password brute-force tests, multiple client systems locked many employees’s account due to failed login attempts, creating a denial-of-service situation. If such imagined scenario occurred in a hospital’s electronic health record (EHR) system, clinicians might lose access to patient data mid-treatment, likely causing harm to patients with wrong treatment. Therefore, ethical testers must not do real damage by actively communicating with system admins to avoid down time of service. However, shallow or incomplete testing can also cause harm indirectly by leaving vulnerabilities unpatched. In the case of SingHealth data breach in 2018, 1.5 million patient records, including the Prime Minister’s, were stolen due to unpatched systems and delayed security reaction [@committeeofinquiryintothecyberattackonsinghealthsitsystemPublicReportCommittee2019]. Shallow testing exposes patients to long-term risks of data bleach. Thus, professional testing avoids harm through inaction.
Testers should test only within authorized scope. Even good intentions cannot justify unauthorized access or alteration. In FreeHour Ethical Hacking Case, students discovered vulnerabilities and emailed the company for a “bug bounty”, but they were arrested [@danieltihnWeWantedHelp2023]. Although no harm was imposed, unauthorized testing is still intrusion if exceeding authorized scope, same in medical infrastructure, where the authorization and consent are essential. In healthcare setting, regulatory framework amplifies the duty to maintain consent boundaries. The HIPAA Privacy and Security Rules require that access to electronic Protected Health Information (ePHI) be both authorized and consented. Access without explicit consent violates the Privacy Rule [@u.s.departmentofhealth&humanservicesSummaryHIPAAPrivacy]. This framework resonates with the FreeHour case, where unapproved testing was treated as intrusion, highlighting that in medical contexts, authorization is not just procedural, but ethical and legal necessity. Therefore, testers must treat “authorization scope” as their bottom line, not as technical gray area.
In addition to the regulatory framework, the Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) help testers prioritize fixes ethically according to severity, exploitability, and impact on safety. CVE identifiers record known vulnerabilities, while CVSS quantifies their severity. By aligning testing depth with CVSS-rated severity, testers can effectively distribute resources in vulnerability fixes to reduce patient and institution risk without compromising operational safety.
To conclude, Ethical penetration testing balances rigor with responsibility. Testers should respect privacy; avoid harm to preserve patient safety and system continuity; test within scope to ensure legality.
Work Cited
Committee of Inquiry into the Cyber Attack on SingHealth’s IT System. Public Report of the Committee of Inquiry (COI) into the Cyber Attack on SingHealth’s IT System. Government of Singapore, 2019, https://file.go.gov.sg/singhealthcoi.pdf.
Daniel Tihn. “’We Wanted to Help’: Students Arrested after Exposing FreeHour Security Flaw.” Time of Malta, 12 Apr. 2023, https://timesofmalta.com/article/we-wanted-help-students-arrested-exposing-freehour-security-flaw.1024757.
Eliza Strickland. “Expert Questions Claim That St. Jude Pacemaker Was Hacked.” IEEE Spectrum, 2 Sept. 2016, https://spectrum.ieee.org/were-pacemakers-from-st-jude-medical-really-hacked.
U.S. Department of Health & Human Services. Summary of the HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed 6 Oct. 2025.