HIPAA Penetration Testing
OraSec delivers manual penetration testing for the systems that store, process and transmit electronic protected health information (ePHI). We map every finding to the HIPAA Security Rule so covered entities and business associates can show OCR, auditors and partners that ePHI safeguards have been tested — not just documented.
From EHR platforms and patient portals to FHIR APIs and the cloud infrastructure underneath them, we test the systems that carry real patient data and deliver evidence your compliance file can use directly.
Prefer to talk? +1 307 310 7808
Does HIPAA Require a Penetration Test?
Not by name. The HIPAA Security Rule (45 CFR Part 164, Subpart C) governs how covered entities and business associates protect electronic protected health information, but it never lists “penetration testing” as a verbatim, mandatory control. That nuance matters, and we are careful to state it accurately: a penetration test is an expected practice, not an explicitly required one.
What the Security Rule does require is a thorough Risk Analysis and a periodic Evaluation of your safeguards. In practice, penetration testing is the standard, defensible way to satisfy both. The Rule is deliberately technology-neutral and risk-based — it tells you the outcome to achieve and leaves the method to you. For organizations handling ePHI at any meaningful scale, hands-on security testing is how that outcome is demonstrated.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the Rule, and breaches involving ePHI are costly — both in penalties and in mandated corrective action. The HHS-referenced implementation guide, NIST SP 800-66 Revision 2, treats technical testing of ePHI systems as a core means of identifying risk and confirming that safeguards actually work.
How a Pentest Satisfies the Risk Analysis & Evaluation Standards
Two specific provisions of the Security Rule turn penetration testing from a nice-to-have into the expected way to produce evidence.
Risk Analysis — § 164.308(a)(1)(ii)(A)
This implementation specification requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. A penetration test produces exactly that: real, validated vulnerabilities in your ePHI systems — confirmed by exploitation rather than guessed at by a scanner — with the severity and impact context a risk analysis needs.
Evaluation — § 164.308(a)(8)
The Evaluation standard calls for periodic technical and non-technical evaluation establishing the extent to which your security policies and procedures meet the Rule's requirements. A recurring penetration test is the technical half of that evaluation — it measures whether the safeguards you documented hold up against an attacker, and gives you a dated, repeatable record of doing so.
Together, these standards mean that if you handle ePHI and cannot show evidence of technical security testing, you have a defensible gap. Our reports are structured to close it.
What's in Scope for ePHI
HIPAA scope follows the data. Any system that creates, receives, stores, processes or transmits electronic protected health information is in scope — and our engagements are built around your real ePHI data flows.
EHR / EMR systems
Electronic health record and electronic medical record platforms are the highest-value ePHI repositories you operate — whether hosted, self-managed, or a vendor SaaS you configure. We test authentication, authorization, role separation and record-level access controls so a clinician, a biller and a patient can only ever reach the data their role permits.
Patient portals & member apps
Patient-facing web and mobile portals expose ePHI directly to the internet. We test for broken access control (one patient reaching another patient's records), insecure direct object references, account takeover, session handling weaknesses and the OWASP Top 10 classes that lead to bulk ePHI exposure.
Billing, claims & practice management
Revenue-cycle, claims and practice-management systems store names, diagnoses, procedure codes and payment data — a combination that is both ePHI and financially attractive. We test these and the clearinghouse integrations that move 837/835 transactions on your behalf.
Cloud, integrations & HL7 / FHIR APIs
Modern health platforms move ePHI over HL7 v2 interfaces and FHIR REST APIs into cloud data stores. We test API authentication and scoping (OAuth 2.0 / SMART on FHIR), object-level authorization, the interface engines in between, and the AWS / Azure / GCP configuration that underpins them.
What We Test
A HIPAA engagement is usually a blend of focused services, scoped to the systems that actually touch ePHI. Each is a dedicated, manual discipline.
Web Application Security Testing
Patient portals, EHR front ends and admin consoles — manual testing for the access-control and business-logic flaws that expose ePHI.
API Security Testing
FHIR, HL7 and internal service APIs — authentication, scoping, broken object-level authorization (BOLA) and data-exposure testing.
Cloud Security Assessment
The AWS, Azure or GCP environment hosting ePHI — IAM, storage exposure, encryption posture and network segmentation review.
Healthcare Penetration Testing
Full clinical-environment engagements covering medical devices, hospital networks and the operational systems around patient care.
Network Infrastructure Penetration Testing
Internal and external network testing to find segmentation failures and lateral-movement paths that put ePHI systems at risk.
Deliverables for Your Compliance File & OCR Readiness
A penetration test is only as useful as the evidence it leaves behind. Our reporting is built so that your privacy officer, security team and an OCR investigator each find what they need without a follow-up request. Findings are tied back to the Security Rule safeguards they relate to, so the report slots directly into your Risk Analysis and Evaluation documentation.
Because ePHI is sensitive by definition, the engagement is run under a Business Associate Agreement when protected health information is in play, with defined data-handling, retention and destruction controls throughout.
What You Receive
- Executive summary written for compliance, privacy and clinical leadership — not just engineers.
- Per-finding detail with reproduction steps, evidence, CVSS severity and remediation guidance.
- Mapping of findings to the relevant HIPAA Security Rule safeguards so the report drops into your Risk Analysis file.
- A clear scope statement enumerating the ePHI systems, endpoints and integrations covered.
- Remediation retest to verify fixes and produce a closed-out report before an audit window.
- Attestation letter summarizing the engagement for auditors, partners and OCR-readiness files.
Talk to a HIPAA Penetration Tester
Tell us about the ePHI systems in scope, the audit on your calendar, or the portal going into production next sprint. We'll come back with a scoped engagement plan — and sign a BAA before any protected health information is touched.
Frequently Asked Questions — HIPAA
Does HIPAA require penetration testing?+
The HIPAA Security Rule does not name penetration testing as a verbatim, standalone requirement. However, it is the expected practice for satisfying two standards that ARE required: the Risk Analysis implementation specification at 45 CFR 164.308(a)(1)(ii)(A) and the periodic technical and non-technical Evaluation standard at 164.308(a)(8). HHS-referenced guidance (NIST SP 800-66 Rev 2) treats technical testing of ePHI systems as a core way to identify risks and evaluate the effectiveness of safeguards, which is why most covered entities and business associates run penetration tests as a matter of course.
What systems are in scope for a HIPAA pentest?+
Any system that creates, receives, stores, processes or transmits electronic protected health information (ePHI). In practice that means EHR/EMR platforms, patient and member portals, billing and claims systems, the HL7 and FHIR integrations that move clinical data, the cloud environment hosting it, and connected medical devices. We scope the engagement around your actual ePHI data flows rather than testing systems that never touch protected health information.
How often should we run a HIPAA penetration test?+
The Security Rule requires periodic Evaluation (164.308(a)(8)) but does not set a fixed interval. The widely adopted baseline is at least annually, and again after any material change — a new application, a major architecture or cloud migration, a merger, or a significant code release affecting ePHI handling. Higher-risk, internet-facing portals often warrant more frequent testing or continuous assessment.
Do you sign a BAA?+
Yes. Because a penetration test of ePHI systems may expose us to protected health information, OraSec can sign a Business Associate Agreement on request before the engagement begins. We also work with you to minimize ePHI exposure during testing — using de-identified or test data where feasible and handling any live data under defined retention and destruction controls.
How long does HIPAA penetration testing take?+
Most HIPAA penetration tests run two to four weeks from kickoff to final report, depending on scope. A single patient portal or API is on the shorter end; a full estate spanning an EHR, multiple portals, billing systems and cloud infrastructure takes longer. We confirm a firm timeline after scoping, and a remediation retest is scheduled separately once your team has addressed the findings.