HIPAA and Penetration Testing: When and How to Test Your Security
Penetration testing answers a question a risk analysis on paper cannot: if a real attacker targeted your network today, would your safeguards actually hold? For healthcare organizations, that distinction matters. A Security Risk Analysis identifies where ePHI lives and what could go wrong; a penetration test attempts to exploit those weaknesses under controlled conditions to show whether they are genuinely exploitable. HIPAA does not name penetration testing as a required activity by those exact words, but it sits squarely inside the “evaluation” and “risk analysis” obligations that the Security Rule does require.
Where penetration testing fits under HIPAA
Two Security Rule provisions create the expectation. The risk analysis standard at 45 CFR § 164.308(a)(1)(ii)(A) requires an accurate assessment of risks and vulnerabilities to ePHI, and the evaluation standard at § 164.308(a)(8) requires periodic technical and non-technical evaluation of how well your safeguards meet the rule. A penetration test is one of the strongest forms of technical evaluation available, and it directly feeds the risk analysis with evidence rather than assumption. The key distinction healthcare teams often blur: a vulnerability scan automatically lists known weaknesses, while a penetration test has a skilled human attempt to chain those weaknesses into actual access to ePHI. Both have value; only the latter proves exploitability.
When to test
Good practice is to penetration test at least annually and after any significant change — a new EHR module, a network redesign, a major vendor integration, a merger, or a move to new cloud infrastructure. Many organizations alternate: external testing of internet-facing systems and internal testing that simulates a compromised workstation or a malicious insider. Web application testing matters for patient portals and any system exposed to the internet. The cadence should be driven by what your risk assessment says about your most sensitive systems, with the highest-risk environments tested most often.
How to test responsibly
Because a penetration test deliberately probes systems that hold ePHI, scope and authorization have to be controlled. Define the scope and rules of engagement in writing, and ensure any third-party tester that could encounter PHI signs a business associate agreement. Prefer testing against a representative non-production environment where feasible, and require the tester to handle and dispose of any data securely. Most important is what happens after: a penetration test only satisfies HIPAA’s intent if the findings drive documented remediation. An unaddressed report of an exploitable flaw is worse than no test, because it proves the organization knew and did not act.
The proposed 2026 Security Rule update
The proposed update to the HIPAA Security Rule, published as a Notice of Proposed Rulemaking in December 2024, would make this expectation explicit. It proposes requiring regular vulnerability scanning and penetration testing on a defined cadence, along with mandatory encryption, multi-factor authentication, and a current asset inventory. The rule is not final — it remains a proposal, and if a final rule is published, organizations would have a 240-day window to comply. Establishing a documented testing program now means the practice — and the evidence — will already be in place.
How Medcurity helps
Medcurity helps healthcare organizations connect testing to compliance — documenting how penetration test and scan findings flow into the Security Risk Analysis and risk management plan, and tracking remediation to closure in one guided platform. Pricing is $499/year (about $42/month) for a single organization, and larger organizations can request a quote. The result is an audit-ready record that you not only tested your defenses but acted on what the test revealed.
Frequently asked questions
Does HIPAA require penetration testing?
HIPAA does not name penetration testing in those exact words, but the risk analysis and periodic evaluation standards effectively require you to test whether your safeguards work. Penetration testing is a widely recognized way to meet that obligation, and the proposed 2026 update would make it explicit.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan automatically identifies known weaknesses. A penetration test has a skilled tester attempt to exploit and chain those weaknesses to reach ePHI, proving whether they are genuinely exploitable. Mature programs use both.
How often should a healthcare organization run a penetration test?
At least annually, and after any significant change such as a new system, network redesign, major integration, or merger. Higher-risk, internet-facing systems like patient portals warrant more frequent testing.
Does a penetration tester need a business associate agreement?
If the tester could access, encounter, or handle PHI during the engagement, yes — a business associate agreement is required, along with a defined scope and rules of engagement that protect patient data throughout the test.