HIPAA Penetration Tests and Vulnerability Scans

vulnerability scanning

Medical facilities are understandably concerned with the security of patient data. HIPAA demands that certain safeguards are maintained. In the pursuit of maintaining security, organizations utilize a number of cybersecurity measures. Specifically, they may hire a company to perform a vulnerability scan or a penetration test. These two procedures are very different, and definitely not interchangeable.

A vulnerability scan is an automated process where a technician uses specialized software to scan computer hardware or a network for vulnerabilities, such as outdated operating systems, unpatched software, or open ports on a firewall. It is often the first step before a penetration test is performed. Vulnerability scans are also suitable for companies that are at the beginning stages of establishing a cybersecurity strategy.

Vulnerability scans are also suitable for companies that are at the beginning stages of establishing a cybersecurity strategy.


Penetration tests are used to discover and document specific weaknesses so that corrections can be made. Companies should be aware that some cybersecurity outfits advertise what they call penetration tests, but are in fact just glorified vulnerability scans. A penetration test, unlike a vulnerability scan, is hands-on and very intensive. It is done by an ethical hacker who deliberately attempts to break into a system. These tests are best suited for organizations with a fairly mature cybersecurity program in place.

unencrypted laptop

Both vulnerability scans and penetration tests have their limits. Even the most intensive penetration test will probably not disclose whether staff members are walking around with unencrypted laptops. And a vulnerability scan may discover open firewall ports, but if an organization has multi-factor authentication in place, such openings present minimal risk.

Fortunately, there is a solution that can address the gaps that a vulnerability scan or a penetration test may miss. It’s a risk assessment, which is exactly what we do at Matterform. We perform risk assessments specially designed to meet HIPAA requirements to respect and maintain the privacy of their patient’s records. If you have questions about your organization’s cybersecurity and HIPAA compliance, contact Matterform for a free exposure analysis today. 

Scroll to Top