Is penetration testing required for HIPAA compliance?

Andrew Hicks, Managing Principal, Coalfire

HIPAA has been around for a while now but it still amazes us that some covered entities and business associates fail to comply with a specific standard requirement:  § 164.308(a)(8) Standard: Evaluation.  This standard requires a covered entity or business associate to perform a periodic technical and nontechnical evaluation.   

In this blog post we’re going to focus our discussion on the technical requirement part of this standard.  The evaluation is supposed to establish the extent to which a covered entity’s (or business associate’s) security policies and procedures meet the requirements of the HIPAA Security Rule.  A question is posed: how does an organization evaluate this requirement without performing specific technical testing?

In the information security arena, ‘technical testing’ is normally defined as performing a vulnerability and/or penetration test.  Plain and simple, we aren’t sure of any other way to determine if technical controls mandated by policies and procedures are appropriately implemented without performing some type of technical evaluation that should include a thorough vulnerability and penetration test.   

To further expand on this topic, this testing should be performed by an independent and credentialed expert.  Many times organizations try to save money or cut corners believing that their IT departments can perform their own technical testing.  How is an organization able to accurately identify their security risks if they have the department that’s responsible for these concerns, test themselves?

With the increase of hacking attacks in healthcare and the knowledge that ‘wannabe hackers’ can buy their own DIY hacking kits from the ‘dark web’, healthcare organizations can no longer go without performing these types of evaluations.  In fact, security experts recommend that healthcare organizations perform a minimum of quarterly vulnerability tests and annual penetration tests.  Some may be asking, what is the difference between a vulnerability test and a penetration test?

To explain this difference let’s look at an analogy involving a burglar checking out a neighborhood for a house to break into.  A vulnerability test is synonymous with the burglar checking doors and windows to make sure they’re locked.  A penetration test actually begins when the burglar finds an open door (or window) and gains entry into the house.  (It can also start when the burglar decides to break a window and enter the house.)  A penetration test simulates a potential attack on an organization’s network or application environment that a hacker might perform on a targeted organization.

We help our clients see how susceptible their organizations are to a compromise.  Our testing services are different because we provide a great evaluation as opposed to just a good evaluation through:

  • the quality of the analysis
  • our ability to interpret the findings and translate them into business ‘talk’
  • a strong rationale for justifying expenditures to mitigate risks

Let us know if we can help your organization with the most thorough evaluation, a key step in assuring what your security state is like and getting you into compliance with the HIPAA regulations.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS