Are You Prepared for the Enhanced HIPAA Necessities for Penetration Testing? 

By Chris Cronin, accomplice, HALOCK Safety Labs and chair of the DoCRA Council 

We strongly advocate an annual penetration check if your organization is on the web. Also referred to as a pen check, that is the place you simulate a cyber assault to find and exploit weaknesses in your community, app, wifi, or system.

Word, nonetheless, you may have exterior threats, however you may have what are considered inner ones too. Inside penetration testing is simply as a lot required.

Such a testing will simulate the kind of assault you possibly can get from an unscrupulous insider, like an sad worker or contractor who would misuse their privilege. 

Why Conduct Pen Testing? 

It’s also beneficial that you simply rent a 3rd get together with experience within the newest penetration check methods. Consider it as hiring an moral hacker to interrupt into your digital infrastructure earlier than the dangerous guys do. A few of the advantages of conducting a pen check embrace: 

• Determine exploitable vulnerabilities 

• Validate safety controls 

• Hold tempo with evolving threats 

Though a pen check by itself is invaluable, it shouldn’t be checked out as a one-time occasion. Common pen testing is required to maintain tempo with evolving threats, uncover new vulnerabilities launched by system modifications, validate the effectiveness of safety controls, and guarantee ongoing compliance with trade requirements 

A New Incentive for Pen Testing 

In case your group is answerable for HIPAA compliance, you’ll have one other incentive to start common pen testing. That’s as a result of on December 24, the Workplace for Civil Rights (OCR) on the U.S. Division of Well being and Human Companies (HHS) issued a Discover of Proposed Rulemaking (NPRM) to change HIPAA. A few of the particulars embrace the next: 

• Checks have to be carried out by certified professionals with acceptable cybersecurity experience. 

• Pen exams should simulate real-world cyberattacks to establish exploitable weaknesses in methods that create, obtain, preserve, or transmit digital protected well being info (ePHI). 

The frequency of penetration testing could also be elevated if a danger evaluation determines it’s crucial. The proposed rule would additionally require technical controls reminiscent of common patching and vulnerability administration, with penetration testing serving as a key validation technique.  

New Necessities for Incident Response Plans 

Each digital group right this moment will need to have a well-crafted incident response plan (IRP) to information their response and restoration efforts for an assault right this moment. The brand new proposal for HIPAA additionally contains steerage for responding to safety incidents. A few of the proposed necessities embrace: 

• Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or recognized safety incidents and the way the regulated entity will reply to suspected or recognized safety incidents. 

• Set up written procedures to revive the loss of sure related digital info methods and information inside 72 hours. 

• Implement written procedures for testing and revising written safety incident response plans. 

Present HIPAA Obligation 

As of proper now, present HIPAA necessities don’t require pen testing. Whereas HIPAA does require organizations to have incident response plans in place, the present guidelines enable appreciable flexibility that permits every group to tailor its incident response strategy based mostly on its distinctive dangers, measurement, and assets.

Underneath the proposal, organizations can be required to undertake a formalized, absolutely documented incident response plan that clearly defines roles and duties, outlines escalation procedures, and mandates thorough post-incident evaluations. This shift goals to standardize incident response practices and guarantee a constant, proactive strategy. 

When Will the New Necessities Take Impact? 

The up to date HIPAA Safety Rule was launched in January 2025 and the general public remark interval closed on March 7, 2025.  The Division of Well being & Human Companies (HHS) is now processing and evaluating the submitted feedback and can subsequently concern the Remaining Rule within the Federal Register. 

The proposed modifications embrace extra necessities as nicely reminiscent of bi-annual vulnerability scan and multi-factor authentication (MFA) necessities.