When it comes to protecting sensitive health data, most organizations know that HIPAA compliance is non-negotiable. But what exactly does compliance look like?

One common question many organizations have is whether HIPAA requires penetration testing. The answer is nuanced. While HIPAA doesn’t explicitly mandate pen testing, it strongly encourages security evaluations that often include it. And proposed changes may soon make it a formal requirement.

In this blog, we’ll explore how penetration testing fits into HIPAA compliance, what current and future rules say, and what a solid testing program should look like.

HIPAA Security Rule & the Risk Assessment Mandate

The HIPAA Security Rule is the foundation for safeguarding electronic protected health information (ePHI). It requires covered entities (including healthcare organizations, health insurers, business associates, and any other service that involve the processing, transmission, and use of ePHI) to conduct ongoing risk assessments to guarantee the confidentiality, integrity and availability of sensitive data.

While penetration testing isn’t explicitly required by HIPAA, the rule mandates regular technical and non-technical evaluations of security controls. This means organizations must test whether their safeguards are actually working, which is where penetration testing comes in.

Penetration testing simulates real-world cyberattacks to identify vulnerabilities that could expose ePHI. As such, it’s widely recognized as a best practice and often becomes a crucial part of meeting HIPAA’s broader risk assessment requirements.

What is a penetration test?

A penetration test can evaluate your networks, systems, and web applications to see where your security vulnerabilities exist, and how likely those vulnerabilities are to be exploited. Essentially, an ethical hacker will attempt multiple ways of gaining unauthorized access to your systems, to demonstrate how a threat actor might be able to exploit your organization’s security parameters.

Why penetration testing matters for HIPAA compliance

Even without a direct mandate, HIPAA penetration testing is recommended for multiple reasons:

• Demonstrates due diligence: Healthcare regulators expect organizations to go beyond checkboxes. Penetration testing shows you’re proactively identifying and addressing real-world security threats.
• Supports HIPAA safeguards: Testing helps validate your administrative, physical, and technical controls to make sure they’re working as intended to protect ePHI.
• Enhances incident readiness: Penetration testing uncovers weaknesses before malicious actors do, reducing the risk of data breaches and costly fines.
• Builds a stronger audit trail: A documented penetration test provides evidence of compliance efforts, which can be vital during audits or investigations.

Proposed HIPAA rule changes: What’s coming?

While penetration testing is currently a best practice, that status may soon change. In late 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) that suggests several new technical requirements, including:

• Mandatory annual penetration testing
• Bi-annual vulnerability scanning
• Use of multi-factor authentication (MFA)
• Enhanced incident response planning

These updates reflect a growing acknowledgment of today’s evolving threat landscape. Healthcare is one of the most targeted industries for cybercrime, and the government is responding accordingly.

It’s important to note that these rules are not yet final. The public comment period closed in March 2025, and the finalized requirements are pending. However, many organizations are already preparing by implementing these practices now.

HIPAA penetration testing guidelines

We don’t yet know exactly what the HIPAA penetration testing requirements would involve if the proposed rule changes come into effect. However, there are general best practices for implementing a penetration testing program that all organizations should consider for HIPAA compliance.

Scope definition

In a classic penetration test (typically once a year), a well-defined testing scope is essential. This is where you’ll want to specify HIPAA obligations, as well as your testing objectives. As part of the preparation process, you will also need to gather and provide relevant information like the types of ePHI your organization has, its locations, and how it’s currently protected.

In general, the testing scope may include:

• Internal and external networks
• Web applications
• APIs and cloud services
• Connected medical devices (IoT)
• Social engineering (e.g. phishing simulations)

Qualified testers

Use experienced professionals certified in penetration testing and cybersecurity (e.g. CEH, OSCP). Ideally, they should also have a good understanding of the healthcare threat landscape.

Methodology

Effective testing should simulate real-world attack scenarios. For example:

• Exploitation of vulnerabilities
• Privilege escalation
• Lateral movement across systems
• Data exfiltration simulations

Detailed reporting

The results should be delivered in a clear report that includes:

• Executive summary for leadership
• Technical findings with risk ratings
• Recommended remediation steps
• Evidence of successful or failed exploits

PTaaS: A modern approach to HIPAA penetration testing

Traditional annual penetration testing is a good first step, but it can leave gaps in coverage. Penetration-Testing-as-a-Service (PTaaS) has been designed to avoid this, maximizing security and compliance through automated pen tests conducted through a SaaS delivery model. This is especially helpful for agile healthcare organizations that manage web applications and need continuous and real-time vulnerability checks.

Outpost24’s PTaaS solution combines automated scanning with high-quality manual testing to identify common software vulnerabilities and logical errors, in real-time for faster remediation. The solution can help ensure your organization’s ePHI cannot be exploited by malicious actors.

PTaaS offers:

• Continuous or on-demand testing
• Integration with CI/CD pipelines
• Real-time dashboards and alerts
• Automated ticketing and remediation workflows

How can I make sure my organization is HIPAA compliant?

As organizations become more reliant on technology, the importance of protecting e-PHI grows. Healthcare data is highly valuable, and new systems, applications, and processes could mean additional attack vectors and vulnerabilities. Worryingly enough, our analysis of America’s top healthcare providers found that 90% of the web applications used by these organizations were susceptible to attack or vulnerability exposure.

HIPAA may not explicitly demand penetration testing – yet – but it clearly requires ongoing evaluations of your security posture. Penetration testing is one of the most reliable and effective ways to meet those expectations. And with proposed new rules on the horizon, now is the time to prepare.

Want to see how Outpost24’s PTaaS solution can help with HIPAA penetration testing compliance? Sign up for a free live demo today.