Explicitly speaking, HIPAA does not require pen-testing. Nor does it require a vulnerability scan. It does, however, require a risk assessment to evaluate the security posture, which is often done during a pen test.
Beyond this, several consulting and compliance organizations have made recommendations to help you achieve compliance. For example, NIST has issued a “special recommendation” for HIPAA that states, “conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate.
This validates your exposure to actual vulnerabilities.” While this is not a requirement, it does push for pen testing to be conducted to achieve the requirements of HIPAA.
Does HIPAA require annual penetration testing?
HIPAA makes no requirements for how often or even that you should conduct a pen test. That being said, it is in your best interest to conduct a yearly penetration test to understand your risk posture best. You must test and evaluate your security controls at least once per year. Doing this via a pen test is a great way to ensure you meet the HIPAA requirements.
In addition to penetration testing services, many organizations (including us here at CYBRI) recommend regular vulnerability scanning. We recommend at least perform quarterly scans, if not more, frequently to minimize the risks of security breaches.
If you have vulnerabilities, you want to address them as soon as possible, and doing frequent scans will help prevent someone from breaking into your company.
What does HIPAA Require for Cybersecurity?
Per the standards outlined by the HHS, to be compliant, the following must be followed (per HHS.gov):
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.
The security rule’s risk analysis and management provisions are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintain continuous, reasonable, and appropriate security protections.
While the security standards do not explicitly mention pen testing and vulnerability scanning, they are heavily implied and meet the requirements as outlined.
CYBRI’s Risk Analysis for HIPAA Compliance
To help you meet your compliance needs for HIPAA, we have developed an annual program focused on analyzing and preventing your cyber risk. Here’s an overview of the program.
- Annual pen test of the internal and external environment
- Quarterly vulnerability scanning of the internal and external environment
- Phishing tests for employees with access to sensitive data
- Data exfiltration simulation and DLP assessments
- Data spillage and leakage review of non-HIPAA areas looking for accidentally misplaced data.
Cybersecurity is becoming increasingly important in today’s digital world, and the trends for cyber attacks have been growing exponentially over the years. We believe they will continue to do so.
Contact us today to discover if you need protection.