In January of this year, significant changes to the HIPAA Security Rule were proposed by the Office of Civil Rights for the Department of Health and Human Services (OCR).
The proposed update to the HIPAA Security Rule, published on January 6, 2025, introduces a significant new requirement: all covered entities and business associates must conduct penetration testing of their electronic information systems at least once every 12 months. This new pen testing requirement is in addition to over a dozen other proposed changes to healthcare cybersecurity as outlined in the HIPAA Security Rule, including but not limited to:
- Bi-annual vulnerability scans.
- Multi-factor authentication and encryption for ePHI at rest and in transit.
- A documented audit every 12 months.
- A written technology asset inventory and a network map of systems and assets impacting ePHI.
- Recovery procedures to get systems and data back online within 72 hours of a loss.
- A written risk management plan reviewed yearly.
However, the implications of yearly penetration tests will have a significant impact on the strategic security planning of healthcare organizations in the year ahead. As a major step in breaking the attack chain, penetration testing, an offensive security solution, has the power to not only help organizations comply with HIPAA policy but transform their cybersecurity strategy from a reactive to a proactive one.
Key Details of the Penetration Testing Requirement
If finalized, the new penetration testing obligations required under the updated HIPAA Security Rule would include the following:
- Regulated entities are required to periodically test their electronic information systems for vulnerabilities, “commonly referred to as penetration testing.” This applies to business associates and government agencies that fit the definition of a covered entity (like State Medicaid agencies) as well.
- Penetration tests must be done by “qualified person(s),” defined as someone with “appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity, and availability of ePHI.”
- Penetration testing must be carried out every 12 months, or in accordance with the healthcare entity’s risk analysis, whichever is soonest.
In addition, the proposed implementation specifications for patch management and vulnerability management would require technical controls such as penetration tests to be carried out as well.
The Rationale Behind the Proposed HIPAA Updates
This update to the HIPAA Security Rule comes after a landmark year for cyberattacks for the industry: “annus horribilis for healthcare data breaches,” states The HIPAA Journal. Claiming that 2024 was “the worst-ever year in terms of breached healthcare records,” the Journal goes on to claim that despite a subtle drop in year-over-year cyberattacks so far (less than 2%), the number of records breached has soared by 64.1%, equaling 276,775,457 records as of March 19th, 2025 – or a record for eight in every ten citizens of the United States.
It was on this alarming premise of astronomical healthcare cybercrime growth that the proposed HIPAA adjustments were made. As noted in the Federal Register, “The Department [of Health and Human Services] is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities,” and that while States have promulgated new regulations to protect PHI, “none specifically focus on ensuring the security of ePHI and the information systems that create, receive, maintain, or transmit ePHI.”
These proposed technical changes to the Security Rule attempt to address this gap, especially as “Healthcare and Public Health” was recently elevated to the designation of a critical infrastructure sector.
Simplifying with Fortra Penetration Testing
The Department of Health and Human Services concedes that the cost of performing the suggested mandatory annual penetration tests may be challenging for some - “the Department is aware of the cost implications of this requirement for small and rural health care providers” - and yet the mandate remains the same across the board. They believed that altering the requirement to fit limited budgets would lead smaller entities to believe that they could “limit their investment in cybersecurity.”
As a result, all healthcare organizations of any size and resource level are required to perform yearly penetration tests as administered by a qualified professional, as outlined by the Department in the changes.
Fortra Core Impact provides penetration testing software to help security teams perform these engagements efficiently and effectively. With this automated, guided pen testing software, even the somewhat novice security admins can execute industry-standard penetration tests that meet compliance standards. Using Core Impact, teams can test their:
- Network Security
- Web Applications
- IoT Security
- And susceptibility to social engineering attacks.
Fortra also offers penetration testing services for those organizations who need to outsource these vital security tests. The services team is staffed with certified professionals who employ the latest testing tactics to root out potential attack paths and exploitable weaknesses.
The impending changes to the HIPAA Security Rule leave less room for error than ever, forcing healthcare providers of all sizes and types to double-down on all aspects of cybersecurity. Adopting a proactive approach with Fortra’s suite of offensive security solutions future-proofs your healthcare organization for compliance now and attacks to come.
