A vulnerability scan tells you what weaknesses exist on paper. A penetration test tells you whether those weaknesses can actually be exploited — and how far an attacker could go if they were. For healthcare organisations managing large volumes of ePHI and running systems where security failures can affect patient safety, penetration testing is an essential element of any mature security programme.
Why Healthcare Organisations Need Penetration Testing
HIPAA's Security Rule requires covered entities to conduct regular technical and non-technical evaluations of the extent to which their security policies and procedures meet the requirements of the Security Rule. While HIPAA does not mandate penetration testing by name, it is widely regarded as a best practice that satisfies the technical evaluation requirement.
Beyond regulatory compliance, the practical case for pen testing is straightforward. Security controls degrade. New systems are added without full security review. Configuration drift occurs. Third-party integrations create unanticipated attack paths. A penetration test conducted by skilled testers who think like attackers will consistently surface issues that vulnerability scans and internal reviews miss.
Healthcare organisations are an attractive target for persistent attackers willing to invest time in understanding a specific environment. A penetration test conducted from the same adversarial perspective validates whether your controls would detect and stop such an attacker.
Types of Penetration Testing
Network Penetration Testing
Network pen testing examines the external and internal attack surface. External testing simulates an attacker with no initial access, attempting to breach the perimeter through internet-facing systems — VPN gateways, web applications, email infrastructure, and any other externally accessible service. Internal testing simulates an attacker who has already gained a foothold — perhaps through a phishing attack or compromised vendor credential — and assesses how far they could move laterally.
For healthcare, internal network testing should cover clinical network segments, not just administrative infrastructure. Testing should probe whether it is possible to reach EHR servers, PACS systems, and medical device networks from a point of initial compromise.
Web Application Testing
Healthcare organisations operate web-based clinical portals, patient-facing portals, telemedicine platforms, and administrative systems. Web application pen testing examines these systems for vulnerabilities in the OWASP Top 10 — injection flaws, broken authentication, sensitive data exposure, insecure direct object references, security misconfigurations, and others.
The EHR's web interface and any API endpoints deserve particular attention, as they provide direct access to ePHI and are accessible from a broad network surface.
Social Engineering
Social engineering testing — including phishing simulations, voice phishing (vishing), and in some cases physical access attempts — assesses whether human controls hold up under adversarial pressure. Phishing is the primary initial access vector for healthcare breaches, making this a high-value test category.
Phishing simulations should be realistic but coordinated with clinical leadership to ensure they do not disrupt patient care or cause undue alarm. Results provide a measurable baseline for security awareness training effectiveness.
Physical Penetration Testing
Physical pen testing assesses whether physical security controls — access card systems, data centre entry controls, secure disposal of hardware, clean desk policies — prevent unauthorised physical access to systems containing ePHI. In healthcare, physical access to clinical workstations logged-in with clinical credentials, or access to network closets containing unprotected switches, are specific concerns.
Scoping a Healthcare Penetration Test
Scope definition is critical. A poorly scoped test wastes budget on low-risk systems and misses the areas that matter most.
EHR systems are typically the highest priority. Testing should cover the network path to EHR servers, authentication controls, access control enforcement, and the web interface.
PACS and imaging systems are frequently under-tested despite containing sensitive diagnostic data and often presenting exploitable vulnerabilities.
Medical device networks require careful scoping. Testing tools and techniques that are appropriate for IT systems can cause medical devices to malfunction, creating patient safety risks. A medical device pen test must be conducted by testers with specific experience in clinical device environments, on isolated test devices wherever possible, and with clinical engineering closely involved.
Remote access infrastructure — VPN gateways, remote desktop gateways, and authentication portals — is a high-priority external test target.
Email infrastructure should be tested for susceptibility to phishing and spoofing.
Black, Grey, and White Box Approaches
Black box testing provides testers with no prior knowledge of the environment — simulating an external attacker who must discover the target environment through reconnaissance. This tests both the organisation's external exposure and its detection capability.
Grey box testing provides testers with limited information — such as a user account but no architectural documentation — simulating an authenticated insider or a threat actor with initial access but limited knowledge.
White box testing provides full information about the environment, enabling testers to conduct a thorough, efficient assessment of specific systems. This approach is appropriate for detailed review of high-value systems like the EHR.
Most healthcare penetration test programmes benefit from a combination: black box external testing plus grey or white box internal testing.
Testing Frequency
The appropriate frequency for penetration testing depends on the organisation's risk profile and the rate at which the environment changes. As a baseline:
- Annual full-scope testing is the minimum for most healthcare organisations and is widely recommended by frameworks including the HHS 405(d) Practices.
- External testing after significant changes — a new VPN deployment, a new patient portal, a major EHR upgrade — should be conducted before the change goes live.
- Continuous vulnerability scanning complements periodic pen testing by identifying newly discovered vulnerabilities between tests.
Handling Findings: CVSS Scoring and Prioritisation
Penetration test findings should be risk-rated using the Common Vulnerability Scoring System (CVSS). Critical and High findings involving exploitable access to ePHI or clinical systems should be treated as urgent — remediation should begin within days, not the next quarterly patching cycle.
Findings should be presented with sufficient detail to enable remediation: the vulnerability description, exploitation evidence, affected systems, risk rating, and specific remediation guidance. Working through findings requires coordination between security, IT operations, application teams, and clinical engineering.
Working with Third-Party Testers
Healthcare organisations should select pen testing firms with demonstrable healthcare sector experience. Testers who understand clinical environments, healthcare protocols, and HIPAA obligations will produce more relevant findings and be better positioned to assess risk in context.
Contractual terms should address how sensitive data (credentials, ePHI accessed during testing) will be handled, destroyed, and reported. Testing activity should be coordinated with the security operations team to avoid false positives triggering incident response, and with clinical engineering when medical device systems are in scope.
Rules of engagement documentation — defining scope, timing, permitted techniques, and emergency contacts — must be agreed and signed before testing begins.
Regulatory Drivers
Beyond HIPAA, organisations subject to ISO 27001 or SOC 2 audits will find that penetration testing is commonly expected by auditors. Cyber insurance applications increasingly ask about penetration testing frequency and remediation practices, and some insurers offer preferential rates for organisations with documented testing programmes.
FZ Consulting LLP offers penetration testing services tailored for healthcare environments, including EHR systems, clinical networks, and medical device infrastructure. Contact our team to scope a testing programme appropriate for your organisation.