.jpg)
VikingCloud News & Resources
Check out the latest news and resources from VikingCloud.
Explore all Resources
HIPAA Compliance Services
One Expert Partner: Complete HIPAA Compliance
Proposed HIPAA updates are set to mandate vulnerability scanning every six months, annual penetration testing, and stronger technical safeguards across the board for every covered entity and business associate. VikingCloud delivers the advisory, assessment, and security services you'll need.
.avif)
HIPAA compliance at VikingCloud powered by:
.svg)
Certified advisors and testers.
Every engagement is led by credentialed professionals including CIPP/E, CDPSE, QSA, ISO 27001 Lead Auditor/Implementer, OSCP, CEH, and CISSP, all with deep experience serving covered entities, business associates, and the organizations that support them.
.svg)
Technical security services.
Vulnerability scanning and penetration testing aligned to the proposed HIPAA Security Rule, with the documentation your compliance program needs to prove it.
.svg)
Global reach, delivered locally.
Engagements in more than 70 countries and multilingual advisors who navigate complex, multi-jurisdiction compliance environments.
Predictive intelligence.
The Asgard Platform® synthesizes over 6 billion cybersecurity and compliance events daily, giving our teams real-time visibility into threats to healthcare environments.
.svg)
Actionable results.
Clear findings, prioritized recommendations, and hands-on remediation support that turns assessment into action.
What is HIPAA, and why does it matter for cybersecurity?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that sets national standards for protecting electronic protected health information (ePHI), with specific obligations for covered entities and their business associates across privacy, security, breach notification, and enforcement.
For cybersecurity and compliance teams, the most directly relevant component is the HIPAA Security Rule that mandates specific safeguards for ePHI.
The HIPAA Security Rule covers three categories of required safeguards:
1. Administrative safeguards.
Risk analysis and management, workforce training, incident response procedures, and contingency planning.
2. Physical safeguards.
Controls over physical access to systems and facilities where ePHI is stored or processed.
3. Technical safeguards.
Access controls, audit controls, integrity controls, and transmission security for ePHI.
.svg)
The Security Rule hasn't been meaningfully updated since 2013. The U.S. Department of Health and Human Services (HHS) has now proposed the most consequential overhaul of its requirements in over a decade.
VikingCloud’s HIPAA compliance services.
We deliver a complete HIPAA compliance program, from advisory to technical security.
HIPAA compliance consulting & assessment
Risk assessment, gap assessment, and ongoing advisory to benchmark your current posture and build a sustainable HIPAA compliance program.
Data Privacy
Vulnerability scanning
External and internal vulnerability scanning that meets the recurring assessment requirements proposed under the updated HIPAA Security Rule.
Vulnerability Scanning
Penetration testing
Annual penetration testing by certified ethical hackers, with the depth, documentation, and expert-led remediation guidance HIPAA compliance requires.
Penetration Testing
Who needs to comply with the HIPAA Security Rule?
The HIPAA Security Rule applies to “Covered Entities” and “Business Associates” who handle ePHI. Proposed updates eliminate the flexibility organizations relied on to defer safeguards; if you handle ePHI, the new requirements apply.
Covered entities
Organizations that directly handle electronic protected health information (ePHI), including:
Health plans and health insurers
Healthcare providers who transmit health information electronically
Healthcare clearinghouses
Let's talk.
The proposed HIPAA Security Rule updates eliminate the distinction between “required” and “addressable” specifications. The same mandatory standards now apply to every organization handling ePHI, from regional health plans to small vendors.
.png)
The HIPAA Security Rule is changing. Is your organization ready?
In 2024, the healthcare sector experienced its most damaging year on record for cyberattacks.
1,000s
of providers experienced disrupted billing and payments with the Change Healthcare breach.
~8 in 10
Americans impacted.
The HIPAA countdown begins May 2026.
In 2025, the HHS Office for Civil Rights (OCR) proposed the most comprehensive overhaul of the HIPAA Security Rule in over a decade, outlined in its Notice of Proposed Rulemaking (NPRM). The rule is targeted for finalization in May 2026. From that point, the clock starts: organizations will have 240 days to comply and to close gaps most don’t yet know they have.
Key proposed requirements include:
Security testing
Vulnerability scanning every six months and annual penetration testing by qualified personnel.
Infrastructure control
Mandatory network segmentation, Multi-Factor Authentication (MFA), encryption for ePHI at rest and in transit, and a written technology asset inventory updated annually.
Operational requirements
Patch management with defined timelines, annual compliance audits, 72-hour system restoration following an incident, and business associate verification of required safeguards.
.svg)
All requirements cited are proposed and subject to change prior to finalization. Read this HHS Notice of Proposed Rulemaking Fact Sheet
HIPAA Compliance without the complexity.
Healthcare organizations don’t need another vendor who can recite the regulation. They need a partner who has been doing this work across advisory, assessment, and technical security services, and who can help them cut through the complexity to focus on what actually matters.
One partner, start to finish.
Most organizations stitch together advisory firms, security testing vendors, and compliance platforms to address HIPAA requirements. VikingCloud brings all of it under one roof including risk assessment, vulnerability scanning, penetration testing, gap analysis, and ongoing compliance, all managed through the Asgard Platform.
Built for compliance documentation.
HIPAA runs on documentation. Our reports and assessment outputs are structured as the written evidence HIPAA requires, ready for your compliance team, auditors, and business partners.
Global expertise, locally delivered.
Advisors and security professionals in more than 70 countries, providing the right expertise, wherever you operate.
.avif)
Our HIPAA compliance customers get:
.svg)
An advisory team with HIPAA Security Rule expertise.
Privacy data mapping to understand how ePHI flows through your organization.
Risk assessment to determine suitable safeguards for the data you hold.
Vulnerability scanning on a regular cadence with compliance-ready documentation.
Penetration testing annually by certified ethical hackers, with findings built for compliance reporting.
Gap assessment benchmarked against current and proposed HIPAA requirements.
Remediation guidance and ongoing advisory support.
All workstreams managed through the Asgard Platform.
The Asgard Platform®
One hub for HIPAA compliance management
VikingCloud’s Asgard Platform brings your HIPAA compliance program into a single, secure hub, making it easier to manage workstreams, track progress, and demonstrate compliance.
- Real-time insights into vulnerability findings
- Secure document sharing and storage for compliance evidence
- Intuitive dashboards and deadline alerts to keep your program on track
- Visibility across advisory, scanning, and testing engagements
- Audit-ready reporting and documentation
%201.png)
Datasheets
Get more details on VikingCloud’s suite of cybersecurity and compliance services.
HIPAA compliance FAQs
Here are some common questions about HIPAA compliance, the Security Rule, and VikingCloud’s services. For additional cybersecurity and compliance terminology, visit our Cybersecurity Glossary.
What is HIPAA?
The HIPAA is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information. It establishes national standards for how ePHI may be used, disclosed, and protected by healthcare organizations and their partners.
What are the four rules of HIPAA?
- The Privacy Rule governing how PHI can be used and disclosed, and patients’ rights to their own information.
- The Security Rule mandating administrative, physical, and technical safeguards for ePHI.
- The Breach Notification Rule requiring covered entities to notify affected individuals, HHS, and in some cases the media when a breach occurs.
- The Enforcement Rule establishing the penalties and investigation procedures for HIPAA violations.
U.S. Department of Health and Human Services (HHS) Summary of the HIPAA Rules
What is the HIPAA Security Rule?
The HIPAA Security Rule establishes national standards for protecting ePHI. It requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
The Security Rule was last significantly updated in 2013. The HHS has now proposed the most consequential overhaul in over a decade, with proposed changes that would make vulnerability scanning and penetration testing explicit, mandatory requirements.
U.S. Department of Health and Human Services (HHS) Security Rule Guidance
What are the proposed HIPAA Security Rule updates for 2025–2026?
On January 6, 2025, the HHS OCR published a Notice of Proposed Rulemaking proposing the most significant changes to the Security Rule since 2013:
- Eliminating the distinction between “required” and “addressable” specifications, making all safeguards mandatory.
- Requiring vulnerability scanning at least every six months.
- Requiring annual penetration testing.
- Mandating multi-factor authentication and encryption for ePHI.
- Requiring a written technology asset inventory and network map.
- Establishing a 72-hour system restoration requirement following a security incident.
The rule is targeted for finalization in May 2026, with a 240-day compliance window.
Does HIPAA require vulnerability scanning?
Under the current HIPAA Security Rule, vulnerability scanning falls under addressable implementation specifications, meaning organizations have flexibility in whether and how they implement it.
However, the proposed 2025 Security Rule updates would change this significantly by requiring vulnerability scanning at least every six months as a mandatory requirement for all covered entities and business associates, regardless of size. Organizations that begin establishing consistent scanning programs now will be better positioned when the final rule takes effect.
Does HIPAA require penetration testing?
Under the current rule, many organizations treat penetration testing as optional. However, the proposed HIPAA Security Rule updates would make annual penetration testing an explicit, mandatory requirement for all covered entities and business associates, to be conducted by qualified personnel with knowledge of generally accepted cybersecurity principles.
What is a HIPAA risk assessment?
A HIPAA risk assessment is a required evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The proposed Security Rule updates add more specific requirements, including a written analysis tied to a technology asset inventory, documentation of identified threats and vulnerabilities, and assessment of the risk level for each. VikingCloud’s risk assessment services are structured around these requirements.
What is a HIPAA gap assessment?
A HIPAA gap assessment evaluates how well an organization’s current security safeguards and practices align with HIPAA Security Rule requirements, both existing and proposed. It identifies specific areas of non-compliance or weakness and produces a prioritized action plan for remediation. VikingCloud conducts gap assessments benchmarked against both current Security Rule standards and proposed updates.
What are the penalties for HIPAA non-compliance?
HIPAA violations carry civil monetary penalties ranging from $137 to $68,928 per violation (current OCR penalty tiers, adjusted annually for inflation), with an annual cap of $2.067 million per violation category. Willful neglect that is not corrected carries the highest per-violation penalties. In addition to civil penalties, knowing violations of HIPAA can result in criminal charges. A significant data breach can also trigger HHS investigation, mandatory corrective action plans, and reputational damage that far exceeds the direct regulatory cost.
HHS OCR Enforcement — Resolution Agreements and Civil Money Penalties
How does VikingCloud help with HIPAA compliance?
VikingCloud delivers HIPAA compliance services across the full spectrum of what the Security Rule requires. We provide advisory and assessment services (risk assessment, gap assessment, data privacy mapping, and ongoing advisory) through our Compliance & Risk Services group, and technical security services (vulnerability scanning and penetration testing) through our cybersecurity practice. All workstreams are managed through the Asgard Platform®, giving your team a single hub for compliance documentation, task management, and reporting.
