Jul 3
2025
Are You Prepared for the Enhanced HIPAA Necessities for Penetration Testing?
By Chris Cronin, companion, HALOCK Safety Labs and chair of the DoCRA Council
We strongly suggest an annual penetration take a look at if your organization is on the web. Also called a pen take a look at, that is the place you simulate a cyber assault to find and exploit weaknesses in your community, app, wifi, or system.
Notice, nevertheless, you may have exterior threats, however you may have what are regarded as inside ones too. Inside penetration testing is simply as a lot required.
The sort of testing will simulate the kind of assault you may get from an unscrupulous insider, like an sad worker or contractor who would misuse their privilege.
Why Conduct Pen Testing?
It is usually really useful that you simply rent a 3rd celebration with experience within the newest penetration take a look at strategies. Consider it as hiring an moral hacker to interrupt into your digital infrastructure earlier than the unhealthy guys do. A number of the advantages of conducting a pen take a look at embrace:
- Establish exploitable vulnerabilities
- Validate safety controls
- Maintain tempo with evolving threats
Though a pen take a look at by itself is invaluable, it shouldn’t be checked out as a one-time occasion. Common pen testing is required to maintain tempo with evolving threats, uncover new vulnerabilities launched by system adjustments, validate the effectiveness of safety controls, and guarantee ongoing compliance with trade requirements
A New Incentive for Pen Testing
In case your group is chargeable for HIPAA compliance, you will have one other incentive to start common pen testing. That’s as a result of on December 24, the Workplace for Civil Rights (OCR) on the U.S. Division of Well being and Human Companies (HHS) issued a Discover of Proposed Rulemaking (NPRM) to change HIPAA. A number of the particulars embrace the next:
- Exams have to be carried out by certified professionals with applicable cybersecurity experience.
- Pen exams should simulate real-world cyberattacks to determine exploitable weaknesses in techniques that create, obtain, preserve, or transmit digital protected well being data (ePHI).
The frequency of penetration testing could also be elevated if a threat evaluation determines it’s needed. The proposed rule would additionally require technical controls corresponding to common patching and vulnerability administration, with penetration testing serving as a key validation methodology.
New Necessities for Incident Response Plans
Each digital group right now should have a well-crafted incident response plan (IRP) to information their response and restoration efforts for an assault right now. The brand new proposal for HIPAA additionally consists of steering for responding to safety incidents. A number of the proposed necessities embrace:
- Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or recognized safety incidents and the way the regulated entity will reply to suspected or recognized safety incidents.
- Set up written procedures to revive the loss of sure related digital data techniques and knowledge inside 72 hours.
- Implement written procedures for testing and revising written safety incident response plans.
Present HIPAA Obligation
As of proper now, present HIPAA necessities don’t require pen testing. Whereas HIPAA does require organizations to have incident response plans in place, the present guidelines permit appreciable flexibility that permits every group to tailor its incident response strategy primarily based on its distinctive dangers, dimension, and sources.
Below the proposal, organizations can be required to undertake a formalized, absolutely documented incident response plan that clearly defines roles and duties, outlines escalation procedures, and mandates thorough post-incident critiques. This shift goals to standardize incident response practices and guarantee a constant, proactive strategy.
When Will the New Necessities Take Impact?
The up to date HIPAA Safety Rule was launched in January 2025 and the general public remark interval closed on March 7, 2025. The Division of Well being & Human Companies (HHS) is now processing and evaluating the submitted feedback and can subsequently challenge the Ultimate Rule within the Federal Register.
The proposed adjustments embrace extra necessities as properly corresponding to bi-annual vulnerability scan and multi-factor authentication (MFA) necessities.