Blue Goat Cyber

The HIPAA Penetration Testing Checklist for Healthcare Organizations

HIPAA Penetration Testing

Healthcare organizations have unique cybersecurity requirements. At the top of this list is HIPAA compliance when handling PHI (protected health information). Developing and maintaining a robust defense posture is only possible through continuous testing of it. The foundation for this is penetration testing. Pen testing is a proactive way to thwart cyberattacks. Before you start your first or next one, you’ll want to review this HIPAA penetration testing checklist.

In this post, we’ll look at the requirements and best practices for HIPAA penetration testing and provide you with a checklist to keep the focus on the most crucial security measures.

Is Penetration Testing a Requirement of HIPAA?

HIPAA does not explicitly name penetration testing as a requirement for compliance. HIPAA standard 164.308(a)(8), however, does require periodic assessments of IT networks and systems to help healthcare providers prevent cyber attacks. A penetration test is considered a periodic assessment and goes a long way in proving due diligence and due care for anyone handling PHI.

Penetration testing can heighten your awareness of vulnerabilities. As a result of a pen test, you can quickly remediate these things. So, while it’s not a defined procedure, adopting it is a calculated way to safeguard PHI.

How Penetration Testing Keeps Your Healthcare Organization More Secure

The objective of penetration testing is for good hackers to uncover weaknesses and security gaps. A simulated attack on your network, in the most realistic way, delivers an abundance of insights into the health of your cybersecurity processes and defenses.

The framework of your pen test can be Black Box, Gray Box, or White Box. Here are the differences.

  • Black Box Penetration Testing, also known as Opaque Box: Hackers have no information about internal system structure and look for any areas to exploit.
  • Gray Box Penetration Testing, also known as Semi-Opaque Box: Testers have some context relating to the target system, such as code, algorithms, data structure, or credentials. Those carrying out the exercise create test cases based on the architectural diagram of the system.
  • White Box Penetration Testing, also known as Transparent Box: Hackers have access to systems and artifacts, such as source code and containers. They often can infiltrate servers running the network.

Every pen test, no matter the type, is very distinct. The methods used can be broad and vary. With a HIPAA penetration test, there are nuances aligned with compliance requirements. Within HIPAA, three rules define protocols.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect the medical records and PHI of individuals. It requires specific safeguards to maintain the privacy of this data. It also limits how you can use and disclose the data without authorization. The rule provides context on these permitted cases and when individuals need to give permission.

Another critical part of the rule is that it gives people rights over their PHI and the ability to review it. This guideline defines whom HIPAA applies to within three categories: health plans, healthcare providers, and healthcare clearinghouses.

In terms of pen testing, your process should align with checking and ensuring data remains private and only used in permissible ways.

The HIPAA Security Rule

The HIPAA Security Rule expands the scope of Privacy Rule protections. Its main points involve ensuring the confidentiality, availability, and integrity of PHI. One mandatory component under this rule is developing risk management capabilities. To meet this requirement, you may undergo a HIPAA security risk analysis.

HHS (Health and Human Services) OCR (Office for Civil Rights), whose duty is to enforce HIPAA, offers guidance on a security risk analysis. It has five major points:

  • Assessment of potential risks and vulnerabilities relating to the confidentiality, integrity, and availability of ePHI (electronic PHI)
  • Regular reviews of how an organization is complying with HIPAA
  • Identifying how an organization creates, receives, maintains, and transmits ePHI
  • Determining how third parties and vendors with access to ePHI create, receive, maintain, and transmit ePHI
  • Defining all the threats relating to data security, including human (internal and external), natural (hurricanes, flooding, earthquakes, etc.), and environmental (physical and cyber)

The Security Rule also defines administrative, physical, and technical safeguards. This part of HIPAA is the one you can most align with pen testing. With its many checks and evaluations, pen testing is essential for compliance.

Breach Notification Rule

The third part of the rule framework is the Breach Notification Rule. It’s different from the previous rules because it outlines what you must do if a security incident occurs with a PHI breach. It specifies what your response must be in terms of notification. Those include the following:

  • Individual notice: You must advise any parties impacted by a breach within 60 days.
  • Secretary notice: You must notify the HHS Secretary of the breach within 60 days.
  • Media notice: If the breach affects more than 500 people, you must disclose this to media outlets within 60 days.

A pen test will reveal what could lead to a data breach. In your simulation, you can test out your workflows for breach notifications. Doing so will provide clarity into any issues in the process.

These three rules offer guardrails on how to remain secure and compliant. With pen testing, you can meet the requirements and go beyond the minimum. Now it’s time to build your checklist.

Optimizing Pen Tests for HIPAA Rules

Before revealing the HIPAA penetration testing checklist, there are a few more holistic points. The pen test performed should align with the Privacy Rule and Security Rule. Here are some topics to discuss with pen testers.

  • Request a focus on specific types of PHI within your network during the reconnaissance and planning phase.
  • Emphasize the need for testers to strategize how they’ll compromise it, which should involve multilayered attacks.
  • Maintain that the HIPAA pen test should isolate and define how the hacker’s attack patterns break the Privacy Rule and Security Rule requirements.
  • Ask for information on what traces and trackers hackers may leave behind after they withdraw for later re-entry. This data will support how you comply with the Breach Notification Rule.
  • Convey that the report provided post-pen test should review the findings relevant to the HIPAA rules and feature measures you should take to patch up these vulnerabilities.

Now, it’s time to create your checklist.

HIPAA Penetration Testing Checklist

Here are the major categories that should be on your checklist.

Annual Audits and Assessments: What Have You Conducted and What Did You Learn?

Before a pen test, you should note what required audits, per HHS OCR, you’ve completed that year. Those include HIPAA security risk assessments and audits of security and privacy standards, assets and devices, and physical sites.

Addressing what you already know from these audits will be crucial in getting the most out of your pen test:

  1. It will discern if you’ve made appropriate fixes from remediation plans.
  2. The test offers you more context on a specific issue.
  3. It will assess the quality of your audits.

Choosing a Pen Test: Access and Types

As defined above, there are three ways for hackers to carry out pen tests. In the case of a HIPAA penetration test, you’ll likely choose Gray Box, providing the testers with some information. They’ll need this to align what and how they test with HIPAA rules.

As for the type of pen test, you can focus on areas in your IT infrastructure, including web applications, network security, and cloud security. All three of these areas are going to interact with ePHI. You can also test IoT security if that applies to your organization. Social engineering is another option.

Vendor and Business Associate Facets

A pen test identifies issues in your digital footprint, but part of that is when you exchange or transmit data with your vendors and business associates. With the increase in supply chain attacks, your pen test should evaluate these interactions. You’ll have insight into your side of the transaction and if there are any problems you can remediate or if you need to notify other parties about concerns.

Defining a Persistent Presence

In the maintain access phase of a pen test, the hackers will attempt to stay and create a persistent presence. This is important because real cyber criminals want to achieve this so they can either control your data through ransomware or keep coming back for more valuable data without your knowledge. Understanding how a persistent presence can occur helps you to fortify your monitoring program.

The Results: How Will You Remediate?

The end of a pen test comes with a detailed report. They include the identified vulnerabilities, how they obtained, extracted, or manipulated ePHI, and how long they could remain undetected. This valuable information will be the foundation of your remediation plan. The firm that performs your pen test can support you in developing a plan to remedy the problems and define when to retest.

Learn More About HIPAA Compliance Pen Testing

This checklist provides you with parameters to consider during a pen test. The organization you hire to hack you should follow these and more. Additionally, working with a firm specializing in HIPAA will deliver the best results. Blue Goat Cyber offers healthcare pen testing with years of experience and expertise.

Learn more about our pen test services and how to get started.

YouTube video
Blog Search
Social Media

Explore Our Cybersecurity Services

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.