nontechnical evaluations in response to environmental or operational changes under 45 CFR 164.308(a)(8). The December 2024 HIPAA Security Rule notice of proposed rulemaking (90 FR 898) would mandate vulnerability scanning at least every six months, penetration testing at least annually, and compliance audits at least once every 12 months, codifying security testing as an explicit regulatory obligation for healthcare organizations.

The Payment Card Industry Data Security Standard