• Home
  • /Learn
  • /Do You Need A Pentest to Be HIPAA Compliant?
background image


Do You Need A Pentest to Be HIPAA Compliant?


Ransomware attacks are on the rise, presenting grave risks to healthcare organizations. In June 2021, 19 healthcare data breaches of 10,000 or more records occurred; 6 of the top 10 big breaches of 2021 have been confirmed as ransomware attacks. 

Earlier this month, a large-scale ransomware attack on a healthcare system hit closer to home. The Newfoundland and Labrador healthcare system was hit with what is being coined as the worst cyberattack in Canadian history and has had severe consequences to national security. The cyberattack delayed thousands of appointments and procedures. 

Attacks to healthcare systems are becoming a regular occurrence:

  • In May, June, July 2021, the reported healthcare data breaches were approximately 500. 

  • June 2021 witnessed an 11% increase in reported breaches than May 2021 did, with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. It was the highest number of monthly cases since September 2020; the average used to be 56 breaches each month in 2020. 

Most of the victims of ransomware attacks reported by healthcare organizations were third-party vendors, which highlights the need for strong measures to protect your information. An ideal way to ensure this is by conducting a pentest — an important review to become HIPAA (Health Insurance Portability and Accountability Act) compliant. 

Safety Measures Needed as per the HIPAA Compliance

HIPAA  requires covered entities to implement security safeguards that ensure the integrity, confidentiality and availability of their electronically protected health information (ePHI). ePHI is any protected health information you create, store, transmit or receive in an electronic format. 

Administrative safeguard is a HIPAA requirement healthcare organizations must implement. It is broken into a series of standards, one of which is the evaluation standard to check the efficiency of your implemented security plans and procedures.

What is HIPAA Penetration Testing?

Under the evaluation standard, covered entities must implement ongoing monitoring and technical evaluation. One important method used in technical evaluation for HIPAA compliance is HIPAA penetration testing.

HIPAA penetration testing is aimed at identifying a covered entity’s security weaknesses and vulnerabilities. The participating authority reviewing HIPAA compliance permits a qualified analyst to access its networks. The analyst then carries out penetration testing to simulate the actions of a malicious hacker.

Penetration testing involves the controlled, supervised hacking of your networks, applications and other security components. Once the testing is complete, the tester will provide you with the results, detailing the weaknesses and vulnerabilities of your security environment.

What Kinds of Penetration Testing Can You Perform?

Penetration testing consists of both internal and external penetration testing. Internal penetration testing is done within your organization’s network. It is carried out on the assumption that a malicious hacker has gained access to your internal network. In contrast, an external penetration test simulates the possible actions of an external hacker. Its purpose is to reveal how a remote attacker can access your internal network. 

So, deploying both these tests is vital to ensure the safety of health records handled by covered entities and your facilities.

With reports from both these tests, you can establish multi-layered security controls so that your secure network blocks a malicious attack at every level.

Is Penetration Testing Mandatory for HIPAA Compliance?

HIPAA  does not specifically mention that penetration testing is needed to be HIPAA compliant. But the act says that all covered entities must perform a security risk analysis, which highlights the importance of evaluating risks and vulnerabilities that threaten the security of patient and provider information handled by you. 

Moreover, healthcare organizations should have access, audit, integrity, authentication and transmission security controls under HIPAA to protect their data from cyberattacks. 

Here, penetration testing is an ideal way to verify compliance because it helps implement ongoing monitoring and technical evaluation methods to enhance the effectiveness of your security controls.


Hackers are naturally drawn to the wealth of personal information healthcare records contain, such as insurance information, relationship data, social security numbers, payment processing details, etc. Consequently, healthcare service providers need to lock their networks and systems down to ensure HIPAA compliance and protect electronically protected health information (ePHI). Packetlabs can help you with its expertise to make your work easy and affordable!

We have worked with many organizations in the healthcare sector and have helped them become HIPAA compliant by conducting customized penetration tests. Get in touch with us to crack HIPAA compliance affordably. We are happy to discuss how our penetration testing services can help you succeed and remove the roadblocks potential cyberattacks present.