What is penetration testing?

Penetration testing is a authorized security assessment that simulates cyberattacks on systems, networks, and applications to identify vulnerabilities before malicious actors exploit them.

Why is penetration testing important?

Penetration testing identifies security weaknesses, ensures regulatory compliance, validates security controls, and helps organizations prioritize vulnerability remediation efforts.

How long does penetration testing take?

Penetration testing typically takes 1-5 business days depending on scope; small application assessments may take 2-3 days while comprehensive infrastructure testing can take 2-3 weeks.

What happens after penetration testing?

After testing, organizations receive a detailed report with findings, risk ratings, and remediation recommendations; vendors often provide remediation support and retesting after fixes are implemented.

HIPAA penetration testing for telehealth: the actual requirements.

Last updated: June 4, 2026

Telehealth companies are growing into HIPAA enforcement attention. OCR penalty actions in 2025 hit several digital health companies for inadequate technical safeguards. Pentest evidence is the single most defensible artifact a telehealth company can produce when an OCR auditor or a business associate sublicense agreement asks how PHI is protected.

Where HIPAA actually requires pentest evidence.

The HIPAA Security Rule does not explicitly mandate penetration testing by name. What it does mandate is risk analysis under §164.308(a)(1)(ii)(A) and ongoing evaluation of security measures under §164.308(a)(8). Both requirements are most defensibly met with regular pentest evidence. Business associate agreements (BAAs) from larger covered entities (Epic, Cerner, payer organizations) now require subordinate BAs to produce annual pentest evidence as a contractual obligation.

If you are a telehealth company contracting with hospital systems, your BAA almost certainly requires pentest evidence. Read the BAA carefully.

Scoping a HIPAA pentest for a telehealth platform.

Three components matter most for telehealth-specific pentest scope: (1) The video platform itself, including WebRTC implementation, recording storage, and consent capture. (2) The patient portal (authentication, PHI display, document handling). (3) EHR integration paths (FHIR API, HL7 connections, third-party integrations like Redox or Particle).

Mobile app pentesting is often required as well for telehealth platforms with native iOS/Android apps. Mobile pentest catches things that web pentest will not: insecure local storage of PHI, certificate pinning bypass, jailbreak detection gaps.

Technical safeguards the pentest validates.

Map your pentest scope to specific HIPAA Security Rule technical safeguards. Access Control (§164.312(a)) requires unique user identification, automatic logoff, and encryption-decryption. Audit Controls (§164.312(b)) require recording and examining activity. Integrity (§164.312(c)) requires authentication and verification. Transmission Security (§164.312(e)) requires encryption and integrity controls.

Your pentest report should explicitly list which findings map to which technical safeguard. When OCR auditors review your evidence package, they want to see this mapping done already, not have to do it themselves.

What goes wrong in telehealth pentests.

From auditing dozens of telehealth platforms: (1) Video recordings stored in S3 buckets with overly permissive ACLs. Recording metadata leaked even when content was encrypted. (2) Patient portal session timeouts set to 24 hours or more, violating automatic logoff requirements. (3) EHR integration tokens with no rotation, often hardcoded into mobile app builds. (4) WebRTC TURN servers misconfigured, exposing patient IPs to other participants. (5) Backend admin panels protected only by basic auth or shared credentials.

These are the patterns OCR auditors look for. A pentest that does not test these is incomplete.

Pentest cost and timing for telehealth.

Telehealth pentest engagements run $15K-$35K depending on platform complexity. Native mobile apps add $3K-$8K. EHR integration testing adds another $3K-$5K. Plan 6-8 weeks from kickoff to final report.

If your BAA renewal date is approaching, kick off the pentest at least 90 days prior so remediation can happen before the BAA review.