HIPAA penetration testing & security risk assessment.
Security testing and risk analysis for covered entities and business associates handling electronic protected health information (ePHI).
What HIPAA actually requires.
The HIPAA Security Rule doesn't currently name "penetration testing" as a line-item requirement — but it does require covered entities and business associates to conduct a thorough risk analysis, implement risk management, and perform periodic technical evaluation of their safeguards. In practice, that technical evaluation is where penetration testing and vulnerability assessment fit in, and it's what most healthcare organizations' auditors expect to see as evidence.
That's changing. Proposed updates to the Security Rule (published for comment in January 2025) would make penetration testing an explicit requirement — at least once every 12 months, performed by a qualified party, or more frequently if your organization's own risk analysis calls for it. Whether or not that rule finalizes as written, the direction is clear: documented, recurring technical testing is becoming the expectation, not just a best practice.
The administrative safeguards standard at §164.308(a)(5) specifically calls for security awareness and training — including periodic security reminders and a documented training program. If your organization also carries a HITRUST CSF certification or a SOC 2 Type II report, the access-control, audit-logging, and system-monitoring criteria in those frameworks overlap significantly with what HIPAA already expects technically.
How this maps to what we do.
IT Audits
A structured review of access controls, encryption, and configuration against the safeguards the Security Rule requires — the technical half of a HIPAA risk analysis.
Penetration Testing
Manual testing of systems that touch ePHI, producing the kind of documented evidence auditors and, increasingly, regulators expect to see.
Phishing & Awareness
Healthcare is one of the most targeted industries for phishing. Simulated campaigns show where training actually needs to happen.
Mapped to the specific controls.
HIPAA §164.308(a)(5)
A timestamped record of every training campaign, per-employee result, and remediation action — the security-awareness-training evidence the administrative safeguards standard expects your program to produce.
HITRUST CSF
Role-gated access to sensitive results, with every read logged, maps directly to the access-control and audit-logging control references HITRUST assessors check against.
SOC 2 Type II (CC7.2)
The same append-only, tamper-resistant action log doubles as the system-monitoring evidence CC7.2 audits request, if your organization is also pursuing SOC 2.
Due for your annual risk analysis?
Tell us your systems and your timeline — we'll scope testing that fits your risk analysis cycle.