BLOG HOME > HIPAA > Auditor Tips: Penetration Testing Best Practices

Auditor Tips: Penetration Testing Best Practices

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide. 

Get my free SecurityMetrics HIPAA Guide

Download now

“Perform a penetration test at least annually and after major network changes.”

Many organizations don’t fully understand what a penetration test is how it differs from vulnerability scanning, and what benefits it offers.

A penetration test will give you a holistic view of what your security system truly looks like. Organizations with poor security practices across their environment leave themselves vulnerable. If an organization has an immature network with unpatched systems, it’s likely that the desktop systems are in a similar state.

Network penetration tests, in particular, are a necessary part of a healthy security culture. Don’t forget about performing other types of penetration tests, such as segmentation checks, application penetration tests, and wireless penetration tests.

It helps to think of your penetration tests and vulnerability scans asa way to cover as much of your environment as possible. Diversify your tests and scans for a more robust security posture. Repeating tests is okay, but trying a new type of test will potentially expose even more vulnerabilities.


Some people mistakenly think that vulnerability scanning is the same thing as a professional penetration test.

Vulnerability Scanning is not Penetration Testing.

Here are the two biggest differences:

A vulnerability scan is automated, while a penetration test includes a qualified individual who digs into the complexities of your network and actively tries to exploit its vulnerabilities.

A vulnerability scan typically only identifies vulnerabilities at a high-level, while a penetration tester digs deeper to identify the root cause of the vulnerability that allows access to secure systems and stored patient data.

Vulnerability scans offer great weekly, monthly, or quarterly high-level insight into your network security, while penetration tests are a more thorough way to deeply examine network security.

By: Chad Horton
Pen Test Manager

Join Thousands of Security Professionals and Subscribe