How to Choose a HIPAA Network Vulnerability Assessment Vendor
Healthcare vulnerability assessment vendors sell one of three different things under the same name: a scanner that returns a list of CVEs, a penetration test scoped to a single application, or a managed assessment that scopes your environment, interprets the findings, and hands your team remediation with owners and dates. The price gap between them is wide and the deliverables do not compare. This guide covers how to tell which one you are being quoted.
Three things sold as a “vulnerability assessment”
| Self-serve scanner | General penetration test | Managed healthcare assessment | |
|---|---|---|---|
| What you get | A list of CVEs ranked by severity | A point-in-time report of what a tester reached | Scoped findings, PHI impact, remediation with owners and dates |
| Who scopes it | You do | Agreed at kickoff, usually narrow | The scoping is most of the engagement |
| Who interprets it | Your team | The testing firm, at a debrief | The vendor, inside your remediation workflow |
| Evidence for an OCR request | Raw output you assemble | A report you file | Dated findings tied to the Security Risk Analysis |
| Healthcare context | None | Varies by firm | Clinical VLANs, biomedical devices, remote clinics |
| Fits | Teams with a security engineer to read it | Testing one specific application | Hospitals, health systems, multi-site FQHCs |
Five things to make a vendor show you
Every vendor demos well. These are the ones that separate them.
- The scope conversation. Ask what they need to know before they can quote. A vendor who prices off your headcount has not looked at your network. A hospital or multi-site system has clinical VLANs, biomedical devices, guest wi-fi, remote clinics and a data center, each with a different owner and a different tolerance for downtime.
- The deliverable, in front of you. Ask for a redacted sample before you sign. If it is a 200-page export with no owner and no date beside any finding, that is what will arrive.
- What happens to a finding after it appears. At any scale past one building the bottleneck is not the scan, it is routing findings to the people who can fix them. Ask how a finding gets an owner.
- The tie to your Security Risk Analysis. The SRA documents where your program is exposed on paper. The assessment shows where it is exposed in practice. Ask whether both live in one record, or whether reconciling them becomes your job.
- The second cycle. A one-off assessment ages badly. Ask what the next one looks like and whether this cycle’s findings are tracked to closure inside it.
Question four is the one worth pressing. Two vendors, two reports, and one analyst reconciling them by hand is the most common way this work quietly stops being current.
How this gets priced
Assessments in this category are scoped and quoted rather than listed. A 12-person clinic’s network and a multi-facility health system’s network are not the same engagement, and pricing one like the other would be dishonest. Treat a flat number offered before anyone has asked what your environment looks like as a signal about the deliverable.
Medcurity platform pricing starts at $499 per year for the smallest organizations and scales with organization size. The assessment is scoped and quoted alongside it.
A note on the proposed 2026 Security Rule updates
The 2026 updates to the HIPAA Security Rule are proposed and have not been finalized. As proposed, they would introduce explicit technical testing expectations, including annual penetration testing. Planning for that is reasonable. Buying on the basis that the rule already binds you is not, and a vendor who tells you it is in force today is telling you something untrue.
Where Medcurity fits
Medcurity’s Network Vulnerability Assessment is a managed engagement for hospitals, health systems, larger FQHCs and multi-site organizations. We scope it, run it, interpret it, and the findings land in the same remediation Worklist as the rest of your HIPAA program. For organizations running more than one site, we handle the Security Risk Analysis across sites under a single engagement, so the assessment and the analysis stay in one record instead of one copy per facility.
We have supported 1,000+ organizations since 2018, and we hold a 100% OCR Acceptance Rate on the analyses we have submitted to OCR, the HHS Office for Civil Rights.
Two cases where we are not the right answer, and it is better to say so here than on a call. If what you want is a scanner you run yourself every week with an engineer on staff to read it, buy the scanner. If you are a single-employee practice, this work is not scoped for you.
Frequently asked questions
Does HIPAA require a network vulnerability assessment?
Not by name. The Security Rule requires a Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) and periodic evaluation (45 CFR 164.308(a)(8)). It does not name a product, a tool, or a scan frequency. Technical testing is how most organizations produce evidence for the technical half of that analysis once the network grows past a single office.
What is the difference between a vulnerability scan and a vulnerability assessment?
A scan produces a list of vulnerabilities. An assessment adds what each one would mean for PHI if it were exploited, what to fix first, what can safely wait, and who owns it, written down with a date.
Do we need a penetration test as well?
They answer different questions. A penetration test asks how far someone could get. An assessment asks what is exposed across the whole environment and in what order to address it. The proposed 2026 updates to the HIPAA Security Rule would name penetration testing explicitly, and they are not final.
How often should we run a network vulnerability assessment?
HIPAA does not set a number. Most organizations tie the cadence to their Security Risk Analysis cycle and to material changes in the environment, such as opening a facility, moving a data center, or completing an acquisition.
Who should not buy a managed assessment?
Organizations with an in-house security team already running and interpreting scans on their own cadence. For them the managed layer duplicates work they have staffed.
Start a conversation
Tell us what your network looks like and we will come back with a scope. Start a conversation with our team.