Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compliance? Reading §164.312(e)(2)(i) it seems that 'security measures' could include these tests, but does not specify a requirement for it.
Additionally, a risk analysis could identify that these services would help to reduce the risk, threats and vulnerabilities in-scope systems, but I cannot find anywhere that these tests are mandatory.
Voting on Ideas
Vote for your favorite ideas by clicking on the up arrow.To undo an upvote, simply click the arrow again. This second click removes your vote.