HHS Wants Annual Pentests in the HIPAA Security Rule. Here's What That Looks Like.
HHS proposed updates to the HIPAA Security Rule in early 2025 that would make penetration testing an explicit requirement for covered entities. Here's what the proposed rule says and how to prepare.
The HIPAA Security Rule Is Getting Specific About Pentesting
The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule in January 2025 that would significantly expand technical testing requirements for covered entities and business associates. The most notable addition: explicit penetration testing requirements.
The current HIPAA Security Rule (45 CFR 164.308(a)(8)) requires periodic "technical and nontechnical evaluation" of security controls. The word "penetration testing" does not appear in the current rule. The proposed revision would add specific requirements for vulnerability scanning and penetration testing as distinct, required activities.
What the Proposed Rule Requires
Vulnerability Scanning
The NPRM proposes that covered entities and business associates must conduct vulnerability scanning at least every six months for all systems that create, receive, maintain, or transmit ePHI. This includes:
- Application-level scanning (SAST/DAST) for custom-developed software
- Infrastructure scanning for network and system vulnerabilities
- Dependency scanning for third-party components
The proposed rule explicitly calls out "automated tools" as a required method, moving beyond the current ambiguous "evaluation" language.
Penetration Testing
The NPRM proposes annual penetration testing as a required (not addressable) implementation specification. The penetration test must:
- Cover all systems and networks that process ePHI
- Include application-layer testing, not just network-layer
- Be conducted by qualified personnel (internal or external)
- Produce a written report with findings, risk ratings, and remediation timelines
- Be followed by documented remediation of identified vulnerabilities
Continuous Monitoring
The proposed rule adds a continuous monitoring requirement for ePHI systems, defined as "ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." This goes beyond periodic scanning to require real-time or near-real-time security monitoring.
Why This Matters for Development Teams
Healthcare applications that process ePHI are in scope for all three requirements. The proposed rule does not distinguish between infrastructure and application-layer testing. Both are required. This means:
- Custom-built healthcare applications need both SAST and DAST coverage
- FHIR API implementations are application-layer targets for the pentest requirement
- Patient portals are internet-facing ePHI systems, the highest priority for testing
- Internal clinical tools that access ePHI are also in scope
The Application Pentest Gap
Most healthcare penetration tests focus on network infrastructure: perimeter scanning, firewall rules, VPN configurations. The proposed rule's explicit inclusion of application-layer testing closes a gap that has been obvious to security practitioners for years.
Healthcare application vulnerabilities (SQL injection in patient search, broken authentication in API gateways, IDOR in patient record endpoints) are the attack vectors behind the largest healthcare breaches. The Change Healthcare breach (2024, 100M+ records) and Ascension Health breach (2024, 140 hospitals disrupted) both involved application-layer compromise, not network perimeter failure.
The Cost Pressure
Healthcare organizations already face significant compliance costs. The proposed pentesting requirement adds operational expense. Qualified pentesters are expensive, and annual testing of all ePHI systems at the application layer is a meaningful scope expansion.
This creates economic pressure for continuous security testing that reduces pentest scope. If an organization can demonstrate continuous vulnerability scanning with documented remediation throughout the year, the annual pentest validates the process rather than discovering months of accumulated vulnerabilities.
Preparing Now
The NPRM is in the comment and finalization period. Regardless of the exact final rule language, the direction is clear: HHS is moving toward explicit, prescriptive security testing requirements. Organizations that implement continuous scanning and application-layer security testing now will be positioned for compliance when the final rule takes effect.
How Deva Addresses Healthcare Pentest Requirements
Deva's HIPAA preset covers all 25 code-relevant HIPAA Security Rule controls, including the evaluation requirement (164.308(a)(8)) that the proposed rule is expanding. Continuous scan-on-save provides the ongoing monitoring evidence the proposed rule describes.
The Pentest Engine's attack surface analysis gives healthcare development teams an offensive security perspective during development. Identifying the application-layer vulnerabilities that would appear in a penetration test, before the pentester arrives.
For organizations subject to the proposed scanning cadence (every six months), Deva's SARIF export produces timestamped, signed evidence packages showing scan coverage, findings, and remediation status. The documentation the proposed rule requires.
The local model matters here more than anywhere: ePHI code patterns, patient data in test fixtures, and clinical workflow logic stay on the developer's machine. No healthcare-specific context traverses an external API.
Frequently asked questions
Does HIPAA require penetration testing?
What is the HHS NPRM and when does it take effect?
How often does the proposed HIPAA rule require vulnerability scans?
Are FHIR APIs in scope for HIPAA pentest requirements?
Summer Ann
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
CMMC Level 2 Is Enforced. Here's What Your Code Has to Show.
CMMC 2.0 Level 2 enforcement is active for DoD contracts. Most compliance failures trace back to code, not policy. Here's the control mapping every developer on a defense program needs to understand.
Read moreNIST CSF 2.0: Govern Got the Headlines, ID.AM-07 Will Cost You the Audit
NIST released Cybersecurity Framework 2.0 with a new Govern function and expanded scope beyond critical infrastructure. Here's what the update means at the code level.
Read morePCI-DSS v4.0 Requirements That Live in Your Code, Not Your Network
PCI-DSS v4.0 has been the only valid revision since March 2025. Requirements 6.2 and 6.3 are the ones developers own, and they are stricter than v3.2.1 in ways most teams have not yet absorbed.
Read more