We strongly recommend an annual penetration test if your company is on the internet. Also known as a pen test, this is where you simulate a cyber attack to discover and exploit weaknesses in your network, app, wifi, or system. Note, however, you have external threats, but you have what are thought of as internal ones too. Internal penetration testing is just as much required. This type of testing will simulate the type of attack you could get from an unscrupulous insider, like an unhappy employee or contractor who would misuse their privilege.
Why Conduct Pen Testing?
It is also recommended that you hire a third party with expertise in the latest penetration test techniques. Think of it as hiring an ethical hacker to break into your digital infrastructure before the bad guys do. Some of the benefits of conducting a pen test include:
- Identify exploitable vulnerabilities
- Validate security controls
- Prevent costly breaches
- Enhance your Incident Response Plan (IRP)
- Keep pace with evolving threats
Although a pen test by itself is invaluable, it shouldn’t be looked at as a one-time event. Regular pen testing is needed to keep pace with evolving threats, uncover new vulnerabilities introduced by system changes, validate the effectiveness of security controls, and ensure ongoing compliance with industry standards
A New Incentive for Pen Testing
If your organization is responsible for HIPAA compliance, you may have another incentive to begin regular pen testing. That is because on December 24, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify HIPAA. Some of the details include the following:
- Penetration testing must be implemented at least once every 12 months.
- Tests must be performed by qualified professionals with appropriate cybersecurity expertise.
- Pen tests must simulate real-world cyberattacks to identify exploitable weaknesses in systems that create, receive, maintain, or transmit electronic protected health information (ePHI).
The frequency of penetration testing may be increased if a risk analysis determines it is necessary. The proposed rule would also require technical controls such as regular patching and vulnerability management, with penetration testing serving as a key validation method.
New Requirements for Incident Response Plans
Every digital organization today must have a well-crafted incident response plan (IRP) to guide their response and recovery efforts for an attack today. The new proposal for HIPAA also includes guidance for responding to security incidents. Some of the proposed requirements include:
- Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
- Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
- Implement written procedures for testing and revising written security incident response plans.
Current HIPAA Obligation
As of right now, current HIPAA requirements do not require pen testing. While HIPAA does require organizations to have incident response plans in place, the existing rules allow considerable flexibility that allows each organization to tailor its incident response approach based on its unique risks, size, and resources. Under the proposal, organizations would be required to adopt a formalized, fully documented incident response plan that clearly defines roles and responsibilities, outlines escalation procedures, and mandates thorough post-incident reviews. This shift aims to standardize incident response practices and ensure a consistent, proactive approach.
When Will the New Requirements Take Effect?
The updated HIPAA Security Rule was introduced in January 2025 and the public comment period closed on March 7, 2025. The Department of Health & Human Services (HHS) is now processing and evaluating the submitted comments and will subsequently issue the Final Rule in the Federal Register.
Additional Changes to Prepare for
The proposed changes include additional requirements as well such as bi-annual vulnerability scan and multi-factor authentication (MFA) requirements. To stay ahead of these changes, contact HALOCK Security Labs. Our HIPAA experts can help you understand what’s coming and guide you in planning and implementing the new requirements.
