The U.S. Department of Health and Human Services (HHS) is moving closer to making annual penetration testing a formal HIPAA requirement.
What happened
According to Vocal Media, the U.S. Department of Health and Human Services (HHS) intends to make annual penetration testing mandatory under proposed updates to the HIPAA Security Rule. The proposal would elevate penetration testing from a recommended cybersecurity best practice to a formal compliance obligation for covered entities and business associates that create, receive, maintain, or transmit electronic protected health information (ePHI).
The proposed rule would require organizations to conduct annual penetration testing alongside other security measures, including vulnerability assessments, multi-factor authentication (MFA), encryption, and enhanced oversight of vendors and business associates. The changes are part of HHS's broader effort to strengthen healthcare cybersecurity in response to the growing number and severity of cyberattacks targeting the sector.
The backstory
The proposed penetration testing requirement originates from the U.S. Department of Health and Human Services' (HHS) Notice of Proposed Rulemaking (NPRM) released in January 2025. The proposal seeks to modernize the HIPAA Security Rule, which was last substantially updated more than a decade ago, to address today's cybersecurity threat landscape.
HHS introduced the NPRM following a series of major cyberattacks affecting the healthcare sector, including ransomware incidents that disrupted patient care and exposed sensitive health information. The agency noted that healthcare organizations continue to be prime targets for cybercriminals because of the value of medical records and the critical nature of healthcare services.
Under the proposed rule, several security safeguards that were previously considered "addressable" would become mandatory. These include requirements for encryption, multi-factor authentication (MFA), vulnerability scanning, network segmentation, and annual penetration testing. HHS has stated that the goal is to establish a stronger baseline of cybersecurity across the healthcare industry and reduce the likelihood of breaches that could compromise electronic protected health information (ePHI).
If finalized, the NPRM would mark one of the most significant revisions to the HIPAA Security Rule since it was first implemented, shifting the regulation toward more prescriptive cybersecurity requirements and placing greater emphasis on proactive testing and validation of security controls.
Go deeper: HHS proposes updated HIPAA security rule
Going deeper
The proposal expands the expected scope of penetration testing far beyond traditional network assessments. According to the analysis, healthcare organizations will need to evaluate a broad range of systems that interact with ePHI, including:
- Electronic health record (EHR) systems and clinical applications
- Patient portals and telehealth platforms
- Connected medical devices
- Cloud environments and infrastructure
- Internal networks
- Third-party vendor and business associate connections
The article also stresses the distinction between vulnerability assessments and penetration testing. Vulnerability scans identify known weaknesses such as missing patches or misconfigurations, while penetration tests simulate real-world attacks to determine whether those weaknesses can be exploited in practice. Regulators increasingly view both activities as necessary components of a mature cybersecurity program.
The push for stronger testing requirements comes amid a growing wave of healthcare cyberattacks. According to the article, more than 7,400 large healthcare breaches have been reported to OCR since 2009, affecting over one billion patient records. The 2024 Change Healthcare ransomware attack alone impacted approximately 192.7 million individuals.
In the know
Penetration testing, often called a “pen test,” is a simulated cyberattack carried out by cybersecurity professionals to identify and exploit vulnerabilities in a system before malicious actors can take advantage of them. The goal is not to cause harm, but to safely test how secure an environment really is under real-world attack conditions and to highlight weaknesses that may not be visible through standard security checks.
Why it matters
The proposed rule signals a shift away from HIPAA's historically flexible approach toward more prescriptive cybersecurity requirements. The requirement applies to HIPAA-covered entities, including healthcare providers and health plans, as well as their business associates. This includes any organization that creates, receives, maintains, or transmits electronic protected health information (ePHI), meaning that both direct care providers and supporting vendors within the healthcare ecosystem are expected to meet these security expectations.
If finalized, healthcare organizations will need to demonstrate that security controls exist and that they are regularly tested and documented.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQS
How could the restructuring affect healthcare organizations?
Healthcare organizations may face increased scrutiny of their HIPAA compliance programs, including risk analyses, risk management activities, security safeguards, workforce training, and breach response procedures.
What should organizations prioritize after this announcement?
Key priorities include updating risk analyses, strengthening cybersecurity controls, ensuring workforce training is current, and reviewing incident response and breach notification procedures.
Farah Amod : January 2, 2025
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
