Healthcare Penetration Testing: What Every Organisation Handling ePHI Needs to Know
Those numbers aren't abstractions. They represent patients whose medical histories, Social Security numbers, insurance details, and treatment records are now in the hands of criminal organisations. They represent hospitals that diverted ambulances, delayed surgeries, and reverted to paper records for weeks. And they represent a regulatory environment that has decided—definitively—that the era of voluntary cybersecurity best practices in healthcare is over.
The proposed 2026 HIPAA Security Rule update will, for the first time, make annual penetration testing an explicit, mandatory requirement for every covered entity and business associate handling electronic protected health information. The rule is on HHS's regulatory agenda for finalisation in May 2026. Whether you're a hospital system, a health plan, a HealthTech SaaS company, or a business associate processing ePHI, the question is no longer whether to pentest—it's how to do it in a way that actually protects patient data, satisfies OCR, and fits within your operational reality.
This guide covers all of it.
Why 2026 Changes Everything
Healthcare has been the most expensive industry for data breaches for fourteen consecutive years. But three forces are converging in 2026 to make penetration testing not just important but unavoidable.
The proposed HIPAA Security Rule overhaul eliminates the distinction between "required" and "addressable" safeguards—meaning all implementation specifications become mandatory. The rule would require vulnerability scanning at least every six months, penetration testing at least annually, mandatory encryption for ePHI at rest and in transit, a technology asset inventory and network map updated annually, and risk analyses that are written, detailed, and tied to those inventories. HHS has acknowledged the cost implications for small and rural providers but has maintained the requirement applies regardless of organisation size.
OCR enforcement is intensifying. In 2025, OCR launched the third phase of its HIPAA compliance audits, initially targeting 50 covered entities and business associates with risk analysis and risk management as the primary focus. Settlement penalties for risk analysis failures regularly reach hundreds of thousands to millions of dollars. The message is clear: inadequate security testing will be treated as a compliance failure, not just a technical gap.
The threat landscape has become existential. Ransomware attacks on healthcare don't just steal data—they shut down clinical operations. Hospitals have diverted emergency patients. Surgeries have been postponed. Medical records have been inaccessible for weeks. When an attack on a healthcare organisation can directly threaten patient safety, penetration testing isn't a checkbox—it's a duty of care.
The Threat Landscape: What Attackers Target in Healthcare
Understanding what attackers go after helps you scope your testing where it matters most.
Third-party vendors and business associates account for the vast majority of breached records. Over 80% of stolen healthcare records in recent years were taken from third-party vendors, software services, and business associates—not from hospitals directly. The Change Healthcare attack demonstrated how a single compromised vendor can cascade across the entire healthcare system.
Ransomware with double extortion is the dominant attack pattern. Attackers encrypt systems to disrupt operations and simultaneously exfiltrate data to leverage for additional ransom demands. Healthcare organisations face an impossible choice: pay the ransom to restore patient care, or refuse and face prolonged operational disruption and potential data publication.
Phishing remains the most common initial access vector, accounting for the largest share of healthcare breaches. Healthcare workers operate under time pressure, handle complex workflows, and frequently access systems from multiple devices—creating ideal conditions for phishing success.
Connected medical devices represent an expanding and under-tested attack surface. With an average of 6.2 known vulnerabilities per device and 60% of devices running end-of-life software, IoMT (Internet of Medical Things) devices are increasingly targeted as entry points into hospital networks.
HIPAA Penetration Testing: Current Rules and What's Coming
What the Current Rule Requires
The existing HIPAA Security Rule (45 CFR § 164.308) requires covered entities and business associates to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI." It also requires a periodic technical and non-technical evaluation of how well security measures meet the Security Rule's requirements.
The current rule does not use the words "penetration testing." However, NIST SP 800-66—the standard reference for HIPAA implementation—names penetration testing as a critical measure for achieving Security Rule protections. And OCR has consistently cited inadequate risk analysis as the most common compliance failure in enforcement actions.
What the Proposed 2026 Rule Would Require
| Requirement | Current Rule | Proposed 2026 Rule |
|---|---|---|
| Penetration testing | Not explicitly mandated | At least every 12 months, by qualified persons |
| Vulnerability scanning | Implied by risk analysis obligation | At least every 6 months |
| Risk analysis | Required, no defined frequency/format | Written, annual, tied to asset inventory |
| Asset inventory | Not explicitly required | Mandatory, updated annually |
| Network map | Not explicitly required | Mandatory, illustrating ePHI movement |
| Encryption | Addressable (can document why not) | Required for ePHI at rest and in transit |
| Addressable safeguards | Can implement, substitute, or document | Eliminated—all specifications required |
The direction is unmistakable: healthcare security testing is moving from flexible and interpretive to prescriptive and mandatory. Organisations that start building their testing programmes now will be ready when the final rule lands.
The Healthcare Attack Surface
Healthcare environments are among the most complex and heterogeneous in any industry. Your pentest needs to cover an attack surface that spans clinical systems, patient-facing applications, cloud infrastructure, connected devices, and an extensive network of third-party relationships.
Electronic Health Records and Clinical Systems
EHR platforms are the central nervous system of healthcare IT. They contain the most sensitive patient data—diagnoses, treatment histories, medications, lab results—and they integrate with virtually every other system in the environment. Testing should cover access controls between clinical roles (can a nurse access records outside their care team?), audit logging and tamper detection, integration points with laboratory, pharmacy, and imaging systems, and the security of any custom modules or extensions your organisation has built.
Patient Portals, Telehealth, and APIs
Patient-facing applications have expanded dramatically since 2020. Portals where patients view records, schedule appointments, and message providers are internet-facing applications that handle ePHI directly. Telehealth platforms process real-time clinical data. APIs connect these applications to backend EHR systems, billing platforms, and third-party services.
Testing should cover the full OWASP Top 10 plus healthcare-specific scenarios: patient record access controls (can patient A view patient B's records by manipulating parameters?), authentication and session management, API endpoint security across all integration points, and data exposure through error messages, API responses, or cached content.
This is the layer where Penetrify delivers the most immediate value for healthcare organisations. The platform's hybrid approach—automated scanning for broad vulnerability coverage combined with manual expert testing for logic flaws, authorisation bypasses, and ePHI exposure scenarios—catches both the common web application issues and the healthcare-specific access control failures that put patient data at risk.
Cloud Infrastructure
Healthcare cloud adoption has accelerated, with EHR systems, data warehouses, analytics platforms, and patient engagement tools increasingly hosted on AWS, Azure, or GCP. Cloud misconfigurations—overpermissive IAM roles, exposed storage containers, insecure service accounts—are among the most common and highest-impact findings in healthcare penetration tests.
The proposed HIPAA rule's mandatory network map requirement underscores the need to understand exactly how ePHI flows through cloud services. A pentest that covers your cloud layer should evaluate IAM policies and privilege escalation paths, storage bucket and blob permissions, network security groups and exposed services, secrets management and credential storage, and cross-account or cross-service attack chains.
Penetrify's cloud-native testing covers AWS, Azure, and GCP with testers who understand healthcare-specific cloud patterns—including HIPAA-eligible service configurations, PHI storage segregation, and the architectural patterns common in HealthTech SaaS platforms.
Connected Medical Devices and IoMT
Network-connected infusion pumps, imaging systems, patient monitors, and other IoMT devices create an attack surface that traditional web application testing doesn't address. Many of these devices run outdated operating systems, communicate over unencrypted protocols, and use default credentials that were never changed.
While full IoMT device penetration testing requires specialised hardware and firmware expertise, your pentest should at minimum assess whether medical devices are properly segmented from clinical systems handling ePHI, whether device management interfaces are accessible from untrusted networks, and whether compromising a device could provide lateral movement into systems containing patient data.
Business Associates and Third-Party Risk
Given that the majority of healthcare breaches originate from third-party vendors, your pentest scope should include the integration points between your systems and your business associates' systems. Test how API credentials for third-party services are stored, whether data exchanges with business associates are encrypted, whether webhook endpoints validate message authenticity, and whether a compromise of a third-party integration could provide access to ePHI in your environment.
Under the proposed 2026 rule, covered entities would need to obtain annual written verification from business associates confirming that required technical safeguards are in place. Pentesting your integration points is a proactive step toward satisfying this requirement.
Scoping a Healthcare Penetration Test
Scoping is where healthcare pentests either deliver value or waste budget. The key principle is simple: every system that creates, receives, maintains, or transmits ePHI is in scope.
In practice, this means your scope should cover the patient-facing web applications and portals, the APIs that connect them to backend systems, the EHR platform and any custom integrations, cloud infrastructure hosting ePHI workloads, administrative and internal tools used by clinical and support staff, the network segments where ePHI resides or transits, and the integration points with business associate systems.
The proposed rule's mandatory technology asset inventory and network map will make scoping significantly easier for organisations that prepare now. Map where ePHI lives, how it moves, and which systems touch it. That map becomes both your pentest scope definition and a standalone compliance deliverable.
Share your scope documentation with your pentest provider before the engagement begins. A good provider will validate the scope against HIPAA requirements and flag any gaps. Penetrify works with healthcare organisations to align pentest scope directly with HIPAA Security Rule requirements, ensuring the engagement covers what OCR expects to see—without testing systems that don't handle ePHI and don't need to be in scope.
How Often Healthcare Organisations Should Test
The proposed rule mandates penetration testing at least every 12 months and vulnerability scanning at least every 6 months. But these are minimums, and healthcare's dynamic threat landscape often demands more.
The practical cadence for a compliance-mature healthcare organisation layers three activities:
Continuous automated scanning runs against your network and applications on an ongoing basis, catching new CVEs, configuration drift, and common vulnerabilities as they're introduced. This satisfies the proposed semi-annual scanning requirement and provides early warning between manual tests.
Annual comprehensive penetration testing covers your full ePHI environment—applications, APIs, cloud, network—with the depth needed to find access control failures, logic flaws, and chained exploit paths that automation misses. This is your primary compliance evidence and your deepest assessment of real-world risk.
Targeted testing after significant changes—a new patient portal launch, a cloud migration, a major EHR upgrade, a new business associate integration—addresses the specific attack surface introduced by the change. This is where on-demand testing models provide operational advantage: you test what changed, when it changed, without waiting for the next annual cycle.
Penetrify's transparent per-test pricing makes this layered approach financially accessible. Instead of committing to an annual enterprise contract, you launch tests as your environment evolves—a comprehensive annual assessment for compliance, a focused portal test after a release, a cloud configuration review after a migration. Predictable costs for each engagement, without unused credits or penalty pricing for scope adjustments.
Choosing a Pentest Provider for Healthcare
Healthcare penetration testing requires more than technical skill—it requires understanding the operational context, the regulatory requirements, and the sensitivity of the environment.
HIPAA-awareness is non-negotiable. Your provider should understand what OCR expects from a risk analysis, how pentest findings map to HIPAA Security Rule safeguards, and how to structure a report that serves as compliance evidence. A generic pentest report that doesn't reference HIPAA controls requires your compliance team to manually re-map every finding—wasting time and creating documentation gaps.
Healthcare environment experience matters. EHR integrations, clinical workflows, HL7/FHIR messaging, medical device networks, multi-tenant HealthTech platforms—these aren't standard web application patterns. Your provider needs testers who understand how healthcare systems are architected and where the healthcare-specific risks live.
Minimal disruption is essential. Healthcare systems support patient care. A pentest that triggers alerts, degrades performance, or causes downtime in a clinical system can have real patient safety implications. Your provider should have protocols for testing sensitive environments—careful scheduling, continuous communication with your IT team, real-time monitoring, and the ability to pause testing immediately if any operational concern arises.
Compliance-mapped reporting saves weeks. The output of your pentest will be reviewed by OCR investigators, compliance auditors, and possibly legal counsel. Reports that map findings to HIPAA Security Rule sections—with remediation guidance aligned to specific safeguard requirements and retest evidence documenting the complete finding lifecycle—are immeasurably more valuable than a generic PDF of CVEs. Penetrify's reports are structured this way by default, mapping each finding to the relevant HIPAA controls alongside SOC 2 and HITRUST mappings where applicable.
Common Mistakes in Healthcare Pentesting
Testing Only the Perimeter
A pentest that scans your external-facing systems and calls it done misses the internal attack paths that ransomware exploits. Once an attacker gains a foothold—typically through phishing—they move laterally through the internal network toward systems containing ePHI. Your test should include both external and internal perspectives to evaluate whether your segmentation, access controls, and detection mechanisms prevent that lateral movement.
Ignoring Business Associate Integration Points
Over 80% of breached healthcare records come from third-party vendors. If your pentest doesn't evaluate the connections between your systems and your business associates' systems, you're ignoring the attack vector responsible for the majority of healthcare breaches.
Treating Medical Devices as Out of Scope
Network-connected medical devices are entry points into your clinical network. Even if your pentest doesn't include firmware-level device testing, it should evaluate whether devices are properly segmented and whether compromising a device provides access to ePHI-containing systems.
Conducting a One-Day "Express" Test
Healthcare environments are complex. A meaningful pentest for even a modest-sized organisation takes one to two weeks at minimum. Tests completed in one to three days are almost certainly automated scans with minimal manual analysis—they'll produce a report, but they won't find the access control failure that lets one patient view another's records or the misconfigured cloud storage bucket containing unencrypted ePHI.
No Remediation Tracking
OCR expects to see the full lifecycle: what was found, what was fixed, and how the fix was verified. A pentest that generates findings but never connects to a remediation workflow creates documented evidence of known, unaddressed vulnerabilities—exactly the kind of evidence that turns an OCR investigation into a seven-figure penalty.
Building Your Healthcare Pentest Programme
Step 1: Build your ePHI inventory. Map every system that creates, receives, maintains, or transmits ePHI. Include applications, databases, cloud services, medical devices, and third-party integrations. This inventory becomes both your pentest scope and a standalone compliance requirement under the proposed rule.
Step 2: Implement semi-annual vulnerability scanning. Deploy automated scanning across your ePHI environment. Run scans at least every six months. Feed the results into your risk analysis and use them to inform the scope of your manual pentests.
Step 3: Conduct annual comprehensive penetration testing. Engage a qualified provider—like Penetrify—to test your full ePHI environment with the depth and compliance mapping that satisfies OCR. Ensure the scope covers applications, APIs, cloud infrastructure, internal networks, and business associate integration points.
Step 4: Establish the remediation loop. Every finding needs an owner, a severity-based timeline, and verification. Critical findings affecting ePHI confidentiality should be remediated within days. Track everything. Include retest evidence in your compliance documentation.
Step 5: Integrate findings into your risk analysis. Your pentest results should feed directly into your annual HIPAA risk analysis. Each finding represents a concrete, evidence-based data point about risk to ePHI. This integration transforms your risk analysis from a paperwork exercise into a genuine assessment of your security posture.
The Bottom Line
Healthcare penetration testing in 2026 isn't about ticking a compliance box. It's about protecting patient data in an environment where attacks are growing more severe, more targeted, and more consequential. The proposed HIPAA updates formalize what the threat landscape has already made obvious: you need to actively test whether your defences can withstand the attacks that are coming.
The organisations that navigate this best are the ones that test the full ePHI environment—not just the perimeter—at the frequency their risk profile demands, with a provider that understands healthcare's unique attack surface and regulatory requirements.
Penetrify combines automated scanning for broad coverage with manual expert testing for the access control, logic, and cloud configuration flaws that define healthcare risk—delivered with HIPAA-mapped compliance reporting and transparent per-test pricing that works for organisations from regional clinics to enterprise health systems.