HIPAA Basics III: Security Scanning for HIPAA Compliant Hosting – Pen Testing and Vulnerability Assessments
By Gil Vidals, , HIPAA Blog, Resources, Security

Just as medical professionals rely on specialized scans – including MRIs, X-Rays, CAT scans, and ultrasound – to diagnose potentially harmful conditions in the human body, a HIPAA host will also utilize particular scans to identify possible abnormalities and weaknesses in your system. 

This is part of the Security Rule Risk Analysis (see our previous post), in order to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities” to systems containing PHI.

The goal is the confidentiality, integrity, and availability (known as the CIA triad) of the resident health information.

System security scans may be thought of as an extension of the medical scans mentioned, for they also impact the ultimate care and treatment of the patient. If medical data and systems are unavailable because of a failure in cybersecurity, treatments may be delayed and patient health can suffer. 

This is why scans are invaluable. They must be conducted throughout your environment for the identification of possible and/or known “security holes” that might cause a security incident, allowing hackers to obtain system access and ultimately impact patient care. 

Before we take a closer look at security scans, we should clarify the following question:

What Constitutes a Security Incident? 

It’s important to note that a security incident need not be successful to be considered as such; even the attempt to access something unauthorized should be classified as a security incident and seen as an opportunity for corrective action (remediation). 

Therefore, any attempt to use, disclose, modify, destroy, or interfere with your system operations in some way is a security incident to be investigated. Be aware: the most common infection vector to impact your systems is now phishing, typically via spam email. 

What are some additional examples of HIPAA Security Incidents? These can include:

  • any unauthorized attempt to obtain credentials (such as brute-force attacks to get passwords) in order to access a system with protected health information (PHI).
  • failures to properly manage equipment (hard drives, USBs, etc.) that lead to unauthorized attempts to access PHI.  
  • any attempt to use malicious software (or malware) specifically designed to cause damage to a system, network, or data. Viruses, worms, Trojan viruses, spyware, adware, and ransomware are all examples of malware.

As with password maintenance and equipment security procedures, detecting novel types of malware will also require vigilance. This is the purpose of specialized scanning tools.

Download Now!

Types of Security Scans 

As noted, an X-Ray is designed to bring visibility to potential physical risks (fractures, tumors, etc.). Likewise, network scanning tools are needed to scan equipment and networks to bring visibility to real and potential breaches of your system with malware. 

If malware has already made it into your system, however, detection is critical and mitigation must be performed to remove it promptly.

Certain organizations may fall under more stringent demands where specified criteria have to be implemented. For these entities, corporate security policies will drive the need for a more focused approach and a higher level of awareness, deeper security scans, and additional reporting functionality.

There are different methods by which these scans can be conducted, depending on whether you wish to validate the internal network or the external network.


For the purposes of achieving the goal of securing the external network, penetration testing (also known as pen testing) is the preferred method to keep intruders from entering the security perimeter. 

Pen testing is a form of “ethical hacking,” typically performed by a security expert (White hat hacker) outside your organization. The goal is to conduct a “real-world test” of your organization’s security. In this way, visibility of your system’s resistance to actual vulnerabilities can be achieved. 

HIPAA Vault offers penetration testing as a way to help validate security and compliance for your organization. (To learn more about ethical hacking, see our two-part series with Security Expert Ricoh Danielson). 


To determine if unwanted guests have already passed the external infrastructure and made their way inside, a vulnerability assessment scan is used. 

This type of testing is used to identify both potential weaknesses and actual malware and ensure that all software is up to date. Once a vulnerability is identified, remediation can then be performed on the local systems or network devices.

HIPAA Vault performs continuous vulnerability assessment scans as a regular part of our fully managed services.  24/7/365 mitigation and patching keeps all systems updated for the latest security. We also offer a free Security Vulnerability Scan to interested companies. 

In conclusion, securing the entire network infrastructure in a HIPAA Compliant hosting environment is a significant task that requires a great deal of attention to comply with the proper rules and regulations. The desired result of such a risk analysis, however, is to produce a low-risk assessment that could greatly reduce the impact of data loss in the case of a security breach.

If you have any questions on HIPAA scanning or any of the services we provide, please contact us! 760-290-3460.

HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.