New year, new regulations. In late December 2024, the U.S. Department of Health and Human Services (HHS) issued a proposal to modify the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, with an overarching goal of strengthening the cybersecurity programs of healthcare organizations and protecting patient data from malicious adversaries.
The HIPAA (not HIPPA, as many often confuse it to be) proposal introduces several key updates, including enhanced cybersecurity safeguards to protect electronic protected health information (ePHI). These changes highlight the evolving threat landscape and the critical need to strengthen existing protections and incorporate robust cybersecurity measures to address and reduce risk.
HHS is accepting comments on the proposed rule, and while many of the changes are uncontroversial, any final regulation would need signoff from Trump administration officials who have so far tapped the brakes on healthcare enforcement.
It’s no secret the healthcare industry remains a prime target for cyberattacks, with a worrying upward trend in the frequency of incidents. According to research conducted by the Ponemon Institute, data revealed that a staggering 92% of healthcare organizations were victims of at least one cyberattack within the past 12 months. This marks a significant increase from the already high rate of 88% in 2023.
Healthcare entities store vast amounts of sensitive patient data, including personal information, medical records and financial details. Given this, the importance of having and maintaining a sound and effective security testing program cannot be overstated.
HIPAA Prescribes a Dose of Pentesting
Under the HIPAA proposal, organizations would need to conduct penetration testing at least once a year. This proactive measure is designed to identify any potential vulnerabilities that may put an organization at increased risk. However, it’s important to remember that not all pentesting platforms are created equal, and selecting the right solution can mean the difference between staying secure or remaining vulnerable.
Traditional pentesting – think a pair of onsite testers carrying laptops – often fails to keep pace with the latest attack techniques and vulnerabilities, making it less effective in detecting modern threats. These limited pentests may miss the most prevalent vulnerabilities in the healthcare industry like remote code executions and SQL injections. They are time-consuming and can’t scale up to cover large attack surfaces, focusing on specific areas while leaving others vulnerable and prone to attack. With two pentesters, organizations don’t get diverse perspectives and skillsets. The reliance on manual testing methods can also lead to missed vulnerabilities due to human error.
According to research conducted by Enterprise Strategy Group (ESG), in partnership with Synack, 75% of respondents said their organizations would consider a switch from traditional pentesting approaches to the new generation of platform-based solutions, like Penetration Testing as a Service (PTaaS). This isn’t surprising, considering how much the security testing industry and cybersecurity threats have evolved over the years.
PTaaS offers continuous and on-demand pentesting capabilities and allows for regular assessments of an organization’s network, applications and systems for vulnerabilities. Leveraging both human intelligence and automation to identify critical vulnerabilities before they can be exploited, PTaaS can significantly reduce the risk of data breaches and security incidents far better than other pentesting methods.
Compared to traditional pentesting methods, PTaaS offers several advantages, including faster turnaround times, greater scalability and cost-effectiveness. The remote-only nature of PTaaS also eliminates the need for on-site personnel, which can be particularly beneficial for organizations with distributed workforces or limited IT resources. Additionally, PTaaS can be customized to meet the specific needs and requirements of different organizations, ensuring that security assessments are aligned with business objectives and risks.
For healthcare organizations looking for a more proactive approach, a PTaaS platform is the way to go. It provides a valuable solution for healthcare organizations seeking to enhance their cybersecurity posture proactively and comply with the proposed HIPAA pentesting requirements.
Choosing the Right Pentesting Partner
Material updates to the HIPAA Security Rule are likely on the way, with the comment period closing on March 7.
Regardless of how the Trump administration approaches the rulemaking, pentesting helps healthcare organizations achieve HIPAA compliance by proactively identifying vulnerabilities that could lead to ePHI breaches, ensuring technical safeguards like access control and encryption are working effectively. Regular pentesting not only aligns with HIPAA’s risk management and evaluation requirements but also demonstrates due diligence, reducing the risk of costly fines associated with non-compliance.
The Synack PTaaS Platform is here to help with HIPAA compliance. If you’re interested in learning more about our offensive security testing capabilities, request a demo.
