Is it necessary to conduct penetration testing for HIPAA compliance