Are You Prepared for the Enhanced HIPAA Necessities for Penetration Testing? 

By Chris Cronin, accomplice, HALOCK Safety Labs and chair of the DoCRA Council 

We strongly advocate an annual penetration check if your organization is on the web. Also called a pen check, that is the place you simulate a cyber assault to find and exploit weaknesses in your community, app, wifi, or system.

Be aware, nevertheless, you may have exterior threats, however you may have what are regarded as inside ones too. Inside penetration testing is simply as a lot required.

Any such testing will simulate the kind of assault you would get from an unscrupulous insider, like an sad worker or contractor who would misuse their privilege. 

Why Conduct Pen Testing? 

It is usually beneficial that you just rent a 3rd occasion with experience within the newest penetration check strategies. Consider it as hiring an moral hacker to interrupt into your digital infrastructure earlier than the unhealthy guys do. Among the advantages of conducting a pen check embrace: 

• Establish exploitable vulnerabilities 

• Validate safety controls 

• Preserve tempo with evolving threats 

Though a pen check by itself is invaluable, it shouldn’t be checked out as a one-time occasion. Common pen testing is required to maintain tempo with evolving threats, uncover new vulnerabilities launched by system modifications, validate the effectiveness of safety controls, and guarantee ongoing compliance with business requirements 

A New Incentive for Pen Testing 

In case your group is chargeable for HIPAA compliance, you’ll have one other incentive to start common pen testing. That’s as a result of on December 24, the Workplace for Civil Rights (OCR) on the U.S. Division of Well being and Human Companies (HHS) issued a Discover of Proposed Rulemaking (NPRM) to change HIPAA. Among the particulars embrace the next: 

• Assessments should be carried out by certified professionals with acceptable cybersecurity experience. 

• Pen exams should simulate real-world cyberattacks to establish exploitable weaknesses in techniques that create, obtain, preserve, or transmit digital protected well being info (ePHI). 

The frequency of penetration testing could also be elevated if a threat evaluation determines it’s obligatory. The proposed rule would additionally require technical controls corresponding to common patching and vulnerability administration, with penetration testing serving as a key validation technique.  

New Necessities for Incident Response Plans 

Each digital group right this moment will need to have a well-crafted incident response plan (IRP) to information their response and restoration efforts for an assault right this moment. The brand new proposal for HIPAA additionally contains steerage for responding to safety incidents. Among the proposed necessities embrace: 

• Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or identified safety incidents and the way the regulated entity will reply to suspected or identified safety incidents. 

• Set up written procedures to revive the loss of sure related digital info techniques and knowledge inside 72 hours. 

• Implement written procedures for testing and revising written safety incident response plans. 

Present HIPAA Obligation 

As of proper now, present HIPAA necessities don’t require pen testing. Whereas HIPAA does require organizations to have incident response plans in place, the prevailing guidelines permit appreciable flexibility that permits every group to tailor its incident response method primarily based on its distinctive dangers, dimension, and assets.

Beneath the proposal, organizations could be required to undertake a formalized, totally documented incident response plan that clearly defines roles and obligations, outlines escalation procedures, and mandates thorough post-incident opinions. This shift goals to standardize incident response practices and guarantee a constant, proactive method. 

When Will the New Necessities Take Impact? 

The up to date HIPAA Safety Rule was launched in January 2025 and the general public remark interval closed on March 7, 2025.  The Division of Well being & Human Companies (HHS) is now processing and evaluating the submitted feedback and can subsequently concern the Ultimate Rule within the Federal Register. 

The proposed modifications embrace further necessities as effectively corresponding to bi-annual vulnerability scan and multi-factor authentication (MFA) necessities.