Guest Column | October 28, 2025

Penetration Testing In Healthcare: Common Vulnerabilities And Programs To Address Them

By Carl Carpenter, Arrakis Consulting

Cybersecurity, digital connection, digital safety-GettyImages-2123163641

Penetration testing is a critical compliance requirement that can help protect pharma, as well as other healthcare companies, from untold risk as it relates to protected health information (PHI) under HIPAA, personal data under GDPR, and consumer information under the California Consumer Privacy Act (CCPA). In part one of this series on penetration testing, we discussed different types of penetration testing, regulatory requirements relating to penetration testing, privacy considerations, and the various phases of penetration testing. Here, we finish by discussing some of the common pitfalls witnessed in healthcare environments, as well as guidance for implementing a penetration testing program.

Common Vulnerabilities In Healthcare Environments

Penetration testing in healthcare organizations consistently reveals several categories of vulnerabilities that pose significant risks to patient privacy and HIPAA compliance.

Authentication and Access Control Weaknesses

Weak or default credentials on medical devices, administrative interfaces, and legacy systems remain prevalent in healthcare environments. Many medical devices ship with hardcoded credentials that cannot be changed, creating permanent security vulnerabilities.

Insufficient multifactor authentication (MFA) implementation, particularly for remote access and privileged accounts, enables credential-based attacks. Inadequate session management in web applications allows session hijacking and unauthorized access to patient records.

Network Segmentation Failures

Poor network segmentation allows attackers who compromise one system to move laterally throughout the network, accessing multiple systems containing ePHI. Medical devices, administrative systems, and guest networks often share network segments, creating unnecessary risk.

Unpatched Systems and Legacy Technology

Healthcare organizations frequently operate legacy systems running outdated operating systems and applications with known vulnerabilities. Medical devices may run unsupported operating systems that cannot be patched without voiding warranties or losing regulatory approvals.

Web Application Vulnerabilities

Patient portals and web-based EHR systems often contain injection vulnerabilities (SQL injection, command injection), broken authentication, sensitive data exposure, and insufficient access controls. These vulnerabilities can enable unauthorized access to thousands of patient records.

Wireless Network Security Gaps

Weak wireless encryption, rogue access points, and insufficient wireless network segmentation create opportunities for attackers to intercept communications or gain unauthorized network access.

Real-World Healthcare Breaches And Penetration Testing Lessons

Anthem Inc. Breach (2015)

The Anthem breach, affecting 78.8 million individuals, resulted from attackers gaining access through spear-phishing and exploiting insufficient network segmentation and monitoring. Penetration testing that included social engineering assessments and internal network testing could have identified the lateral movement opportunities that attackers exploited.

The $16 million HIPAA settlement emphasized Anthem's failure to conduct comprehensive risk analyses and implement appropriate security measures. Regular penetration testing would have provided evidence of security control effectiveness and identified gaps requiring remediation.

Community Health Systems Breach (2014)

Community Health Systems reported a breach affecting 4.5 million individuals after attackers exploited vulnerabilities in Heartbleed (CVE-2014-0160), a security bug. This breach demonstrates the importance of vulnerability management and timely patching — issues that penetration testing regularly identifies.

External penetration testing would have identified the Heartbleed vulnerability before attackers exploited it, providing an opportunity for remediation before the breach occurred.

Advocate Medical Group Breach (2013)

Advocate Medical Group experienced a breach affecting 4 million individuals when four unencrypted computers were stolen. While this represents a physical security failure, penetration testing that includes physical security assessments could have identified inadequate controls protecting devices containing ePHI.

Newkirk Products Inc. Breach (2019)

Newkirk Products, a business associate providing services to healthcare organizations, experienced a ransomware attack affecting 3.3 million individuals. The attack exploited weak remote desktop protocol (RDP) security — a vulnerability that external penetration testing routinely identifies.

This breach resulted in a $75,000 HIPAA settlement and highlights the importance of penetration testing for business associates, not just covered entities.

Regulatory Enforcement And Penetration Testing

OCR Enforcement Actions

The HHS Office for Civil Rights has consistently emphasized security testing in enforcement actions. Multiple settlement agreements explicitly require organizations to conduct regular penetration testing as part of corrective action plans.

The Premera Blue Cross settlement ($6.85 million, 2019) required the organization to conduct annual penetration testing and vulnerability scanning. The settlement agreement specified that penetration testing must be performed by qualified independent third parties.

State-Level Enforcement

State attorneys general have increasingly pursued healthcare data breach cases under state consumer protection laws. Organizations that can demonstrate regular penetration testing and prompt vulnerability remediation may be better positioned to defend against claims of negligent security practices.

GDPR Enforcement In Healthcare

European data protection authorities have issued significant fines for healthcare data breaches. The Portuguese National Data Protection Commission fined a hospital €400,000 for security failures, including inadequate access controls — issues that penetration testing would identify.

GDPR's emphasis on demonstrating compliance through documentation makes penetration testing reports valuable evidence of security due diligence.

Building An Effective Penetration Testing Program

Frequency and Scope Determination

Healthcare organizations should conduct penetration testing at least annually, with additional testing triggered by:

  • Significant infrastructure changes or system implementations
  • New internet-facing applications or services
  • Merger and acquisition activities
  • Security incidents or near-misses
  • Regulatory changes affecting security requirements

Testing scope should rotate between comprehensive assessments and targeted testing of high-risk systems, ensuring all critical systems receive regular evaluation.

Vendor Selection and Qualifications

Healthcare organizations should engage penetration testing vendors with:

  • Healthcare industry experience and HIPAA knowledge
  • Relevant certifications (OSCP, GPEN, CEH, GWAPT, PenTest+)
  • Willingness to execute business associate agreements (BAA)
  • Professional liability insurance covering security testing activities
  • Documented methodologies and quality assurance processes

Remediation and Continuous Improvement

Effective penetration testing programs include structured remediation processes:

  • Risk-based prioritization of findings
  • Assigned ownership and remediation timelines
  • Verification testing to confirm remediation effectiveness
  • Trend analysis across multiple testing cycles
  • Integration with vulnerability management and patch management programs

Conclusion: Penetration Testing As A Compliance And Security Imperative

Penetration testing represents a critical component of healthcare cybersecurity programs, serving dual purposes as both a security assessment tool and a compliance validation mechanism. For organizations subject to HIPAA, GDPR, and CCPA, regular penetration testing demonstrates security due diligence, identifies vulnerabilities before attackers exploit them, and provides evidence of reasonable security practices.

The healthcare sector's unique challenges (legacy medical devices, complex regulatory requirements, 24/7 operational demands, and highly sensitive data) require specialized penetration testing approaches that balance thorough security assessment with patient safety and privacy protection.

As cyber threats targeting healthcare organizations continue to evolve in sophistication and frequency, penetration testing must evolve from an annual compliance checkbox to a continuous security validation process integrated with broader risk management, vulnerability management, and incident response programs.

Organizations that view penetration testing as an investment in security improvement rather than a compliance burden will be better positioned to protect patient privacy, maintain regulatory compliance, and defend against the increasingly sophisticated cyber threats facing modern healthcare delivery.  Additionally, organizations that embrace the cost of preparation over the cost of a breach will find their respective budgets in a much happier state.

About The Author:

Carl Carpenter operates Arrakis Consulting, a full-service cybersecurity firm that specializes in helping clients of all sizes get, and stay, regulatory compliant.