Penetration Testing: A HIPAA Must, Not a Threat to Patient Privacy

Services
Written By Cate Urban

Cybercrime against healthcare systems and providers is on the rise. The costs of these malicious attacks balloon costs to healthcare companies per ransoming stolen patient data, lawsuits and disruption of crucial services. In 2024, the average cost to American healthcare companies per cyber breach reached a world-leading $9.48 million per breach, more than double the global average.

Still, many in the healthcare industry are concerned that certain cybersecurity services like penetration testing could interfere with protected health information (PHI), impacting their adherence to the Health Insurance Portability and Accountability Act (HIPAA). This is a dangerous misconception. In fact, this year the Office of Civil Rights for the Department of Health and Human Services proposed significant changes to the HIPAA Security Rule that would make annual penetration testing a requirement. Specifically, the updated HIPAA Security Rule states:

  • Regulated entities are required to periodically test their electronic information systems for vulnerabilities.

  • Penetration testing must be carried out every 12 months, or in accordance with the healthcare entity’s risk analysis, whichever is soonest.

  • Penetration tests must be done by “qualified person(s),” defined as someone with “appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity, and availability of ePHI.”

WarCollar’s penetration testing approach for HIPAA-regulated environments emphasizes patient safety, regulatory compliance, and protection of PHI. We execute all engagements under a Business Associate Agreement, strictly limit scope to approved systems, and design our methodology to minimize risk to production systems while still identifying vulnerabilities. All testing data is encrypted, stored securely, and reported using HIPAA-compliant safeguards. Our reports map findings to the HIPAA Security Rule and National Institute of Standards and Technology (NIST) standards, ensuring remediation recommendations directly support regulatory compliance and improved patient data security.

Contact us today to set up a call to discuss your organization’s needs and concerns for protecting patient privacy.




Cate Urban

I founded Urban Web Renovations after 11 years of leading global marketing strategies for nonprofit organizations in Washington, DC. In each position I held, one thing remained the same – my passion for managing web sites and social media accounts for both organizations and major thought leaders.

Next

Hidden Gem: Jackpot Learning – DEFCON Edition