Penetration Testing Vital Even Before the New HIPAA Rules Are Final
Healthcare organizations should not wait for the final HIPAA Security Rule updates to start validating their security posture. Although OCR has not yet finalized the proposed changes, the direction is already clear: healthcare entities and business associates are under growing pressure to implement more specific, defensible cybersecurity safeguards for electronic protected health information (ePHI). In March 2026, OCR Director Paula Stannard publicly defended the proposed updates while noting that OCR still had not decided which proposals would ultimately be finalized, and warned that “the cost of doing nothing is very high.”
That is the key point for healthcare leadership. Regulatory timing and attacker timing are not the same thing. Threat actors are not waiting for the rulemaking process to end, and neither should organizations responsible for protecting ePHI. HHS has already proposed significant Security Rule changes intended to better protect the confidentiality, integrity, and availability of ePHI, and HHS’s healthcare cybersecurity guidance continues to push organizations toward stronger baseline controls now.
The January 2025 proposed rule would modify the HIPAA Security Rule to require covered entities and business associates to better protect ePHI against both external and internal threats. HHS says the proposal is intended to provide more specific instruction on what regulated entities must do, rather than leaving organizations with broad, loosely interpreted expectations.
For many healthcare organizations, that should be a wake-up call. A policy may say remote access is secure. A checklist may say MFA is enabled. A vulnerability scan may show a list of known issues. But none of those, by themselves, answer the more important question: Would an attacker actually be able to compromise a critical system or reach sensitive data?
A penetration test is fundamentally different from a basic vulnerability scan. Vulnerability scanning identifies known weaknesses. A penetration test goes further by assessing whether those weaknesses can be exploited in practice, how far an attacker could move, and what business impact could result.
A “pen test” reveals the real-world consequences of compromise, including exposure of ePHI, business interruption, delayed care operations, financial loss, regulatory scrutiny, and reputational damage. OCR’s recent public remarks underscored exactly that point by framing inaction as potentially more expensive than preventive security work.
A pen test should also be independent. An internal team may know the environment too well and make assumptions that go unchallenged. A managed service provider or incumbent security vendor may also be constrained by familiarity with the systems they designed, deployed, or support. An independent third party brings a fresh perspective and objectivity.
A good independent penetration test helps answer questions like:
What internet-facing assets are actually exposed?
Are there forgotten subdomains, legacy systems, or misconfigurations that increase risk?
Can weak authentication, insufficient segmentation, or excessive privilege be abused?
Could an attacker pivot from an initial foothold toward sensitive systems or ePHI?
Are security controls working in practice, or only in theory?
Some healthcare organizations may be tempted to delay major security validation work until the final HIPAA updates are published. On paper, that can seem prudent. In practice, it often creates more risk.
First, the direction of travel is already visible. HHS has proposed stronger and more prescriptive expectations, and the stated purpose is to strengthen cybersecurity protections for ePHI.
Second, remediation takes time. If a third-party penetration test uncovers exposed administrative interfaces, weak remote access controls, poor network segmentation, exploitable web application flaws, or legacy systems that should not still be reachable, those issues usually cannot be fixed in a week or two. Organizations that wait until a final rule is issued may find themselves trying to assess, remediate, document, and validate everything at once.
Third, HHS has already published healthcare-specific Cybersecurity Performance Goals intended to help organizations prioritize high-impact security practices. While those goals are voluntary, they are another signal that healthcare cybersecurity expectations are becoming more concrete and operational.
The better approach is to start now, on your own timetable, before urgency is imposed by a breach, a customer demand, an insurer questionnaire, or an OCR investigation.
This is particularly important for small and mid-sized healthcare organizations that may assume they are too small to be targeted. In reality, smaller providers and business associates often face the same threat categories as larger organizations, but with less internal security depth.
The question is no longer whether healthcare cybersecurity expectations are increasing. They are. HHS formally proposed substantial HIPAA Security Rule changes in January 2025, and OCR leadership is still publicly defending the effort in 2026 even while the final outcome remains unsettled.
For healthcare providers and business associates, independent third-party penetration testing is one of the clearest ways to move from assumptions to evidence. It helps determine whether security controls work in the real world, whether attackers have viable paths into the environment, and whether the organization is reducing risk before a regulator, insurer, or threat actor forces the issue. Waiting for the final HIPAA rule may feel cautious. In many cases, it is actually the riskier choice.
If your healthcare organization wants an independent view of its real-world cybersecurity risk, Mile High Cyber can help. Our human-led penetration testing services help healthcare entities identify exploitable weaknesses, validate key safeguards, and prioritize remediation before problems become incidents.