Are you ready for the improved hipaa requirements for penetration tests?

By Chris Cronin, partner, Halock Security laboratories and chairman of the Docra Council

We strongly recommend an annual penetration test if your company is on the internet. Also known as a pen test, here you simulate a cyber attack to discover weaknesses and exploit in your network, app, WiFi or system.

Please note, however, you have external threats, but you also have what is considered internal. Internal penetration tests are just as much required.

This type of testing simulates the type of attack that you could get from an unscrupulous insider, such as an unfortunate employee or contractor who would abuse their privilege.

Why perform pent tests?

It is also recommended to hire a third party with expertise in the latest penetration test techniques. Think of it as hiring an ethical hacker to break into your digital infrastructure before the bad guys do. Some advantages of performing a pen test include:

• Identify exploitable vulnerabilities

• Validage security checks

• Keep pace with evolving threats

Although a pent test in itself is invaluable, it should not be seen as a one -off event. Regular Pentests are needed to keep pace with evolving threats, to discover new vulnerabilities that are introduced by system changes, validate the effectiveness of security controls and ensure continuous compliance with industrial standards

A new incentive for testing pen

If your organization is responsible Hipaa -complianceYou may have an incentive to regularly test on the pen. That’s because on December 24 the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) has a Notification of proposed regulations (NPRM) to change hipaa. Some details include the following:

• Tests must be performed by qualified professionals with appropriate expertise in the field of cyber security.

• Pentests must simulate Real-World Cyber ​​attacks to identify exploitable weaknesses in systems that create, receive, maintain or send electronically protected health information (EPHI).

The frequency of penetration tests can be increased as a risk analysis determines that it is necessary. The proposed rule would also require technical checks, such as regular patching and vulnerability management, where penetration tests serve as an important validation method.

New requirements for incidentresponse plans

Every digital organization must be well made today Incident -response plan (IRP) to guide their reaction and repair efforts for an attack today. The new proposal for hipaa also contains guidelines for responding to security incidents. Some of the proposed requirements include:

• Prepare written plans for responses and procedures for security Document how staff members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.

• Set written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.

• Implement written procedures For testing and revising written plans for responsibility for security.

Current Hipaa obligation

From now on, current Hipaa -requirements Do not need pent tests. Although HIPAA requires that organizations have incident response plans, the existing rules allow considerable flexibility with which each organization can coordinate its approach of incidental disposition based on its unique risks, size and resources.

According to the proposal, organizations would be obliged to assume a formalized, fully documented incidental response plan that clearly defines roles and responsibilities, outlines escalation procedures and soils thorough assessments after the incident mandates. This shift is intended to standardize the response practices of incidents and to guarantee a consistent, proactive approach.

When do the new requirements come into effect?

The updated HIPAA security rule was introduced in January 2025 and the public comment period was concluded on 7 March 2025. The Ministry of Health and Human Services (HHS) is now processed and evaluates the comments submitted and will then issue the final rule in the Federal Register.

The proposed changes also include additional requirements, such as biennial vulnerability scan and multi-factor authentication (MFA) requirements.