What’s the NPRM and Why Should You Care?
On December 27 2024 the U.S. Department of Health & Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) that would overhaul the HIPAA Security Rule for the first time in a decade. Among dozens of new obligations, the NPRM makes technical security testing explicit and time-bound:
- Penetration testing at least once every 12 months
- Vulnerability scans every six months
- Mandatory network segmentation tests
The comment period closed on March 7 2025 (more than 4,000 comments submitted), signalling strong momentum toward a final rule later this year.
NPRM Highlights That Hit Security Teams the Hardest
| New Requirement | Why It Matters |
|---|---|
| Annual pen test | Proves you can withstand real-world attacks |
| 6-month vuln scans | Shows you’re finding & fixing issues between pen tests |
| Asset inventory + network map | Auditors want evidence that everything touching ePHI is accounted for |
| 24-hour incident notifications & 72-hour recovery target | Raises the bar for business-associate accountability |
| Written security-incident response plan & annual tabletop | No more “informal” runbooks |
| Encryption, MFA, anti-malware, port hardening | Now explicitly required, not “addressable” |
All of these controls must be reviewed or tested every 12 months – no loopholes, no “best-effort” language.
What NPRM Compliance Will Actually Look Like
If you handle electronic protected health information (ePHI) as a covered entity or business associate, you will need:
- Documented scope of every system that creates, receives, stores or transmits ePHI.
- Independent annual pen test that exercises your external perimeter, internal network, and segmentation controls.
- Attestation package you can hand to auditors – plus evidence that critical findings were retested and closed.
- Rolling vulnerability-management cycle (scan → patch → rescan) that fits the six-month clock.
Failing to meet any one of these could expose you to OCR enforcement actions once the rule is final.
How Prodigy13’s Penetration-Testing Program Maps to the NPRM
| NPRM Demand | 13Security Solution |
|---|---|
| Annual penetration testing | Fixed-price Pen-Test-as-a-Service delivered by experienced USA based security professionals. Schedule your next test before the ink dries on the current report – so you’re never out of compliance. |
| Segmentation validation | Add-on: We include live firewall/VPC traversal tests and a formal Segmentation Letter suitable for auditors. |
| Six-month vulnerability scans | Complimentary, automated scans every day/week/month/quarter – plus optional managed scanning if you prefer white-glove service. Findings flow into the same portal that tracks your pen-test remediation. |
| Asset inventory & network map | You can use our platform to generate an exportable list of assets, including both cloud resources and domain/IP-based resources. |
| 72-hour restoration / 24-hour BA notification | Our reporting format highlights system criticality and includes a business-associate attestation letter verifying that testing was performed by an independent SME, exactly as the NPRM requires. |
| Audit-ready artefacts | Executive summary, full technical report, remediation tracker, retest certificate, and auditor Q&A call – no surprise up-charges. |
Why Act Before the Rule Is Final
- Regulators have already signalled that “reasonable and appropriate” now means objective, third-party evidence—waiting until the rule drops could leave you scrambling for scarce testing slots during audit season.
- Early adoption demonstrates due diligence if an incident occurs while the NPRM is still in flux.
- The same annual pen test satisfies PCI, SOC 2, ISO 27001, and CMMC evidence requirements—one engagement, multiple checkboxes.
Next Steps
- Book a scoping call (15-30 minutes). We’ll map your ePHI flows and size the engagement.
- Pick your window. We hold test dates up to 6 months in advance so you’re guaranteed to hit the 12-month mark.
- Receive your compliance kit – asset inventory template, sample policies, and our Rules of Engagement – to jump-start documentation.
- Go live. Most tests finish in 10–15 business days, with real-time findings in our portal.
- Retest for free within 90 days to close critical issues and lock in your final attestation.
Ready to Get NPRM-Ready?
The NPRM makes one thing crystal-clear: annual penetration testing is no longer optional for the healthcare sector. 13Security delivers the technical depth, documentation, and ongoing scanning cadence you’ll need—without crippling your budget or operations.
👉 Schedule your free NPRM readiness assessment today.
Don’t let the rule catch you off guard—own compliance, protect patient data, and sleep easier.
