HIPAA penetration testing requirements: 2026 guide for healthcare teams

HIPAA sets the baseline for protecting electronic protected health information (ePHI) in the United States. But as ransomware, cloud misconfigurations, exposed APIs, and third-party access risks continue to affect healthcare environments, policies and questionnaires are no longer enough. Healthcare organizations need practical evidence that their safeguards work under realistic attack conditions.

The risk is measurable. IBM’s 2025 Cost of a Data Breach Report found that healthcare remained the most expensive industry for data breaches for the 14th consecutive year, with an average cost of $7.42 million per breach and an average of 279 days to identify and contain incidents. In the U.S., the average breach cost across all industries reached a record $10.22 million.

Recent incidents show why this matters. In July 2025, Change Healthcare notified OCR that approximately 192.7 million individuals had been impacted by its ransomware attack. Yale New Haven Health reported a 2025 breach affecting about 5.6 million people, Episource reported one affecting 5.4 million people, and Blue Shield of California disclosed a tracking-related privacy breach affecting up to 4.7 million individuals.

This guide explains whether HIPAA requires penetration testing, how the proposed 2026 HIPAA Security Rule updates could change expectations, what systems should be in scope, what a HIPAA pentest report should include, and how penetration testing supports a broader healthcare cybersecurity and compliance strategy.

UPDATE – May 2026: On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through OCR, issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule and strengthen cybersecurity protections for ePHI. The proposed rule would require automated vulnerability scanning at least every 6 months and penetration testing at least every 12 months, or more frequently when required by the organization’s risk analysis.

As of this update, HHS states that the current Security Rule remains in effect while the rulemaking process continues. RegInfo lists the rule under RIN 0945-AA22 in the Final Rule Stage with a projected final action in May 2026. Healthcare organizations should monitor the final rule closely and prepare now, but should avoid treating proposed text as final legal language until HHS publishes the final rule.

This article is for educational purposes and is not legal advice. Healthcare organizations should consult qualified legal counsel for interpretations of HIPAA compliance.

Does HIPAA require penetration testing?

HIPAA does not explicitly designate penetration testing as a standalone requirement under the Security Rule currently in effect. However, HIPAA requires regulated entities to protect the confidentiality, integrity, and availability of ePHI, to identify and protect against reasonably anticipated threats, and to perform regular technical and non-technical evaluations of their security safeguards.

A HIPAA penetration test can support the risk analysis, risk management, evaluation, access control, audit control, transmission security, and information system activity review expectations set forth in the HIPAA Security Rule.

The proposed HIPAA Security Rule update would significantly change this. The proposed vulnerability management standard would require regulated entities to conduct automated vulnerability scans at least every six months and perform penetration testing at least once every 12 months, or in accordance with the organization’s risk analysis, whichever is more frequent.

HIPAA’s Evaluation section (§ 164.308(a)(8)) and Information Access Management (§ 164.308(a)(4)) highlight the need for regular technical and non-technical evaluations to assess the effectiveness of security controls for protecting electronic protected health information (ePHI). NIST Special Publication 800-66r2, involving HIPAA guidance, recommends external or internal penetration testing as a key method for these evaluations, supporting the HIPAA Security Rule standard in the following areas, extracted directly from the act’s General Rules:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures

In short, HIPAA penetration testing is not explicitly required under the current Security Rule, but it is strongly recommended. If the proposed rule becomes final as drafted, annual penetration testing and semiannual vulnerability scanning would become explicit requirements for HIPAA-regulated entities.

The following table shows how penetration testing supports several HIPAA Security Rule safeguards:

What is HIPAA penetration testing?

HIPAA penetration testing is a specialized cybersecurity assessment focused on systems, applications, infrastructure, APIs, cloud environments, and workflows that create, receive, maintain, or transmit ePHI.

The goal is to simulate realistic attack techniques in a controlled, authorized environment to identify vulnerabilities that could lead to unauthorized access, disclosure, alteration, or disruption of patient data.

A standard penetration test might focus broadly on whether a system can be compromised. A HIPAA penetration test goes further by asking healthcare-specific questions.

Understanding the basics

Penetration testing, sometimes known as ethical hacking, is a proactive approach to cybersecurity. A penetration test actively seeks weaknesses in an organization’s network, applications, APIs, cloud services, medical devices, and supporting infrastructure.

It does this by testing security controls and emulating real-world attackers’ tactics, techniques, and procedures.

For healthcare organizations, this provides a more realistic understanding of security posture than a policy review or automated scan alone. A vulnerability scan may identify a missing patch. A penetration test can determine whether the missing patch can be exploited to access patient data or to move deeper into the environment.

That distinction matters. Healthcare security teams often deal with limited resources, high availability requirements, legacy systems, clinical workflows, and third-party dependencies. A good pentest helps prioritize what matters most.

Tailoring pentesting to HIPAA requirements

What sets a HIPAA penetration test apart is its focus on healthcare risk.

HIPAA requires covered entities and business associates to implement appropriate administrative, physical, and technical safeguards. Penetration testing primarily supports the technical and operational validation of those safeguards, but it also provides useful evidence for administrative requirements, including risk analysis, risk management, documentation, vendor oversight, and security evaluation.

A HIPAA-focused pentest should consider the systems and workflows where ePHI is most likely to be exposed, including patient portals, EHR and EMR integrations, claims and billing workflows, telehealth systems, cloud storage, APIs, mobile applications, identity providers, support tooling, analytics systems, and third-party vendor connections.

Common areas of scope of HIPAA pentesting

The scope of a HIPAA penetration testing exercise can vary depending on the organization, its architecture, and the flow of ePHI. However, the assessment should focus on systems and workflows where unauthorized access could affect patient data.

Typical areas of scope include:

• Patient portals and web applications that allow patients, clinicians, or administrators to access health information;

• APIs, including FHIR, HL7, billing, claims, lab, scheduling, pharmacy, and third-party integrations;

• Authentication and authorization controls, including SSO, MFA, session management, password reset flows, role-based access control, user provisioning, and deprovisioning;

• EHR, EMR, CRM, billing, claims-processing, and case management systems;

• Cloud infrastructure, databases, storage buckets, backups, containers, serverless environments, and logging pipelines;

• Mobile applications used by patients, clinicians, staff, or care teams;

• Remote access services, VPNs, RDP exposure, identity providers, and administrative portals;

• Medical device networks and connected healthcare technologies;

• Logging, monitoring, alerting, and audit trail controls;

• Data transmission and encryption controls, including TLS configuration, insecure exports, file transfers, and integrations that exchange patient data;

• Business logic flaws that could expose patient records or allow unauthorized workflow manipulation;

• Vendor, support, or business associate access paths into systems containing ePHI.

Medical device cybersecurity deserves specific attention. The FDA issued final medical device cybersecurity guidance in September 2023 and has continued to update it since then. In February 2026, the FDA issued updated guidance on Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions, superseding the June 2025 version.

Healthcare organizations and medical device manufacturers should consider how device cybersecurity, network segmentation, patching, monitoring, and vulnerability management fit into their HIPAA security program.

The role of pentesting in healthcare cybersecurity

Penetration testing is key to identifying potential weaknesses and security vulnerabilities that could compromise healthcare records and put the organization at risk of cyberattacks.

Its importance stems from the HIPAA Security Rule’s requirements for risk assessment and management, which are critical for safeguarding ePHI.

A HIPAA pentest is not only a technical exercise. It helps security, compliance, legal, engineering, and leadership teams understand whether the organization’s safeguards are working as intended.

Addressing the threat landscape

The threat landscape constantly changes, with new risks emerging regularly. Currently, ransomware remains one of the most significant cyber threats to healthcare providers and business associates.

Ransomware incidents can disrupt care delivery, expose sensitive patient information, disable operational systems, and trigger breach notification obligations.

OCR’s April 2026 ransomware settlements show how regulatory scrutiny often focuses on foundational Security Rule expectations: accurate and thorough risk analysis, risk management, access controls, monitoring, and implementation of appropriate technical safeguards.

Penetration testing and vulnerability scans are proactive measures that help healthcare organizations anticipate these threats before attackers exploit them.

By simulating real-world attack scenarios, penetration testing provides a practical assessment of how well an organization’s cybersecurity efforts withstand a real cyberattack.

Comprehensive risk management

Vulnerability discovery and penetration testing go deeper than standard security measures. They test how well security policies, procedures, and controls perform in practice.

For example, a policy may state that users should only access the minimum patient information necessary for their role. A HIPAA pentest can test whether that is true in the application, API, and database layers.

It can uncover horizontal privilege escalation, insecure direct object references, excessive admin permissions, weak session handling, insecure file exports, or workflow flaws that allow one user to access another patient’s records.

This is where penetration testing becomes especially valuable. It does not just identify vulnerabilities. It helps prioritize them based on realistic exploitability, potential exposure of ePHI, and business impact.

Ensuring regulatory compliance

The HIPAA Security Rule requires covered entities and business associates to protect ePHI by implementing appropriate safeguards. Penetration testing helps evaluate whether those safeguards are adequate and effective.

A good HIPAA pentest report can also serve as evidence of compliance. It can show that the organization has evaluated technical controls, identified weaknesses, prioritized remediation, and validated fixes.

This does not prove full HIPAA compliance on its own, but it supports a broader compliance program and provides useful evidence for internal governance, customer security reviews, vendor assessments, and audit preparation.

Building patient trust

Patients expect healthcare organizations to protect their most sensitive information. That expectation extends beyond clinical care into every digital system that stores or transmits patient data.

By rigorously testing and improving security posture, healthcare organizations can better protect patient data and reduce the risk of unauthorized access.

A proactive approach to data security can also enhance reputation. It shows patients, partners, customers, and regulators that the organization is not waiting for an incident before taking cybersecurity seriously.

Preparation for a HIPAA pentest

Effective preparation is key to ensuring the success and legal compliance of a HIPAA pentest. Many of the items discussed in this section can also be useful in any security testing program. Before engaging, healthcare providers and their chosen cybersecurity partners must establish foundational agreements. Here’s a step-by-step guide on how to prepare:

Establish legal agreements

• Non-Disclosure Agreement (NDA): It goes without saying that an NDA should be signed with the pentest provider. This ensures that any sensitive information shared during the engagement remains confidential.
• Business Associate Agreement (BAA): Under HIPAA, a BAA is required when a business associate (in this case, the penetration testing provider) handles ePHI. This agreement sets forth the responsibilities of each party in protecting patient data. We have written a detailed article on BAA and healthcare pentesting, if you want to learn more.

Definition of objectives and scope

• Setting goals: Clearly define what the penetration test should accomplish, such as uncovering vulnerabilities or assessing compliance with specific HIPAA standards.
• Scoping the assessment: Determine the extent of the testing, focusing on systems, networks, and applications that interact with ePHI.

Selecting the penetration testing team

• Choosing experts: Decide whether to use an in-house team or third-party penetration testing experts. External teams often bring specialized skills and an unbiased perspective.
• Ensuring expertise: The chosen team should have proven experience in penetration testing, understanding the nuances of healthcare technology and protocols, and knowledge about the core aspects of HIPAA compliance.

Coordinating with internal stakeholders

• Informing and aligning teams: Communicate with relevant internal departments about the upcoming pentest. It’s crucial to ensure understanding and cooperation across the organization.
• Clarifying expectations: Discuss the pentest’s purpose, scope, and potential impacts to align expectations and avoid disruptions.

Technical and administrative readiness

• Backing up data: Securely back up all critical data, including ePHI, to prevent potential data loss during testing.
• Compliance and legal considerations: Confirm that the testing activities comply with legal and organizational policies.

Scheduling the test

• Minimizing operational impact: Schedule the assessment to minimize interference with everyday operations, considering potential system performance issues.
• Ongoing testing strategy: Plan regular penetration testing and vulnerability scanning to continuously monitor and improve cybersecurity and remain compliant.

How often should healthcare organizations perform HIPAA penetration testing?

Today, HIPAA does not explicitly define a universal penetration testing frequency under the current Security Rule.

However, annual penetration testing is already a minimum expectation for healthcare organizations, health tech companies, and business associates that handle ePHI. It is also frequently expected by customers, partners, cyber insurers, enterprise buyers, and security frameworks.

The proposed HIPAA Security Rule update would make this expectation more explicit by requiring penetration testing at least every 12 months, or more frequently when required by the organization’s risk analysis.

In practice, healthcare organizations should consider penetration testing:

• At least once per year;

• After major application or infrastructure changes;

• Before launching a new patient-facing system;

• After significant cloud, identity, or network changes;

• After mergers, acquisitions, or vendor changes that affect ePHI;

• After a serious security incident;

• When risk analysis identifies new or increased exposure to ePHI.

Vulnerability scanning should happen more frequently. Under the proposed rule, automated vulnerability scanning would be required at least every 6 months. Many mature organizations scan monthly, weekly, or continuously, depending on the environment.

Understanding the penetration testing process

The penetration testing process in a healthcare context is critical to ensure the security of sensitive patient data and compliance with HIPAA. Each phase of the pentesting process contributes to a thorough evaluation of a covered entity’s security posture. By identifying and addressing vulnerabilities in their systems, covered entities can have more confidence in their security controls regarding safeguarding patient data.

In this section, we discuss a high-level breakdown of the pentest process.

Planning phase

The process begins with careful planning. Here, specific elements of the healthcare organization’s IT infrastructure are identified for testing. This stage involves determining the scope of the test, which may include key systems like patient databases, healthcare apps, and other critical digital tools. It’s about setting clear objectives for the test and ensuring all relevant areas are covered.

Discovery phase

During the discovery phase, testers gather detailed information about the targeted environment. This involves understanding the network layout, software versions, and any known security measures. The goal is to map the healthcare organization’s digital footprint and identify potential weak points that could be exploited.

Attack and penetration phase

The attack phase is where simulated cyberattacks are conducted. Testers attempt to exploit identified vulnerabilities, mimicking the actions of potential hackers. This phase is crucial for assessing the real-world resilience of the organization’s security measures against unauthorized access or ePHI data breaches.

Reporting phase

The process concludes with a comprehensive and technically detailed report. The security testers compile their findings into a comprehensive document, highlighting vulnerabilities, the associated risks and recommendations for improvement. This report is invaluable for healthcare organizations to understand their security gaps and take necessary steps to enhance their defenses.

Healthcare penetration testing must go beyond a generic cybersecurity assessment, incorporating an understanding of the unique technologies, industry jargon and standards such as EHR, DICOM, HL7, and FHIR that underpin the modern healthcare IT ecosystem. This knowledge is vital in maintaining HIPAA compliance and safeguarding the integrity of sensitive health data held by a covered entity.

How much does a HIPAA pentest cost?

A HIPAA penetration test typically costs between $8,000 and $25,000 for a standard engagement covering a healthcare organization’s primary ePHI-handling systems. Small, focused assessments, such as testing a single patient portal or API, may start around $5,000. Comprehensive assessments that cover internal networks, multiple applications, cloud infrastructure, and medical device connectivity can cost over $30,000 in large or complex healthcare environments.

Several factors influence the final cost:

• Number and type of systems in scope: A pentest covering a patient portal, its API, and an admin panel is priced differently from one that also includes internal network testing, cloud infrastructure review, and mobile applications.
• User roles and access levels: Healthcare systems often have complex role hierarchies — patients, clinicians, nurses, billing staff, administrators, support teams, and vendor accounts. Testing authorization controls across more roles requires more time.
• Authentication and integration complexity: Systems that use SSO, MFA, SAML, or federated identity providers require additional testing of the authentication layer. Third-party integrations with EHR, billing, or lab systems expand scope.
• Compliance reporting requirements: If the pentest report needs to serve as evidence for an OCR audit, a HITRUST assessment, or a cyber insurance application, additional reporting effort may be required.
• BAA requirements: If the penetration testing provider will access, handle, or be exposed to live ePHI during testing, a Business Associate Agreement must be executed. This may affect which providers can perform the work and how the engagement is structured.
• Retesting: Most reputable providers include one round of remediation validation. Additional retesting cycles add to the total cost.

At Blaze, HIPAA-focused penetration testing engagements are scoped individually based on the systems, user roles, and compliance requirements involved. For a detailed breakdown of penetration testing pricing across all types of assessments, see our full guide to penetration testing cost.

2026 OCR guidance: hardening, patching and ransomware readiness

OCR’s January 2026 cybersecurity newsletter focused on system hardening and the risks created by unpatched software, insecure configurations, default passwords, unnecessary services, and weak security baselines.

This guidance aligns closely with the value of vulnerability scanning and penetration testing.

Vulnerability scanning helps identify missing patches, obsolete software, and known weaknesses. Penetration testing helps validate whether those weaknesses can actually be exploited and what an attacker could do next.

For healthcare organizations, hardening should include:

• Removing unnecessary software;

• Disabling unnecessary services;

• Changing default passwords;

• Applying secure configuration baselines;

• Patching known vulnerabilities;

• Limiting administrative access;

• Validating that logging and monitoring are working;

• Confirming that exposed services are intentional and protected.

A HIPAA pentest and vulnerability scanning can support this process by showing whether hardening efforts are effective in practice. It can also reveal gaps that are easy to miss in policy reviews, such as exposed admin panels, excessive permissions, weak segmentation, insecure cloud storage, or API authorization flaws.

Final remarks

As we’ve explored throughout this guide, penetration tests for HIPAA compliance are crucial to a healthcare organization’s cybersecurity strategy – but it’s just the beginning. It’s a single piece of a puzzle with the ultimate goal of creating an environment where security is a continuous priority and risk analysis is an integral part of the operational mindset.

Healthcare organizations must recognize that maintaining the confidentiality, integrity, and availability of patient data is not just a regulatory requirement; it’s a critical element of patient care. Regular pentesting, ongoing risk analysis, robust training programs, and a culture of security awareness form a strong defense against the myriad cyber threats facing the healthcare industry today.

By embracing these practices, healthcare providers can ensure compliance with HIPAA, reduce the risk of data breaches, and build a resilient infrastructure that can withstand cyberattacks, including those perpetrated by ransomware gangs. In doing so, healthcare organizations can uphold the trust placed in them by individuals and society, ensuring that sensitive patient health information remains secure and private.

If your organization is planning a pentest to support HIPAA compliance and is looking for a cybersecurity partner, get in touch with our experts.

FAQ