ePHI flow review
Map every place ePHI moves — APIs, exports, integrations, logs, queues, third-party processors.
Healthcare & HealthTech
A pentest scoped around the ePHI flows your auditors care about.
Technical-safeguard testing aligned to the HIPAA Security Rule, with explicit ePHI flow review and a BAA-friendly engagement model. Reports your covered-entity partners and HITRUST or SOC 2 + HIPAA auditors accept.
Where we focus
Six surfaces healthcare engagements always touch.
Access control and audit
Role-based access for clinical, billing, support, and patient roles; tamper-evident audit logs.
Authentication and identity
Patient and clinician auth, step-up auth for sensitive actions, account-recovery safety.
Patient-facing surfaces
Patient portals, mobile apps, telehealth, and any place a patient interacts with their record.
Integrations and EHR boundaries
FHIR APIs, HL7 interfaces, SMART on FHIR scopes, vendor-to-vendor exchanges.
Operational endpoints
Backoffice tooling, billing workflows, support-agent access, and the audit trails behind them.
How we typically scope healthcare
A common bundle: app + API + authenticated + HIPAA framing.
FAQ
Healthcare — common questions
Do you cover HIPAA technical safeguards explicitly?
Yes. Findings are mapped to the HIPAA Security Rule technical safeguards (access control, audit controls, integrity, person or entity authentication, transmission security). Reports include the language compliance teams and OCR-prepared documentation expect.
How do you handle test data and ePHI?
We default to non-production environments with synthetic ePHI. If we must test in production, we agree explicit safe-testing rules, encrypt evidence at rest and in transit, and follow defined retention windows. A signed BAA is in place before any sensitive material is exchanged.
Can you cover FHIR and HL7 integration testing?
Yes. FHIR APIs, SMART on FHIR scopes, and HL7 interfaces are common surfaces in our healthcare engagements. We test scope and consent boundaries, partner-token isolation, and integration-level access control.
Will the report support our HITRUST or SOC 2 + HIPAA work?
Yes. Reports map cleanly to HITRUST CSF and to SOC 2 with HIPAA-aligned criteria. Cross-walks are documented in the report rather than asked of your team after the fact.
Will partner covered entities accept the report?
Yes. Covered-entity partners consistently accept our reports as part of vendor risk reviews. The HIPAA-mapping section and explicit scope statement are typically what they look for.
Want a credible answer to: are we secure?
A 30-minute review with our lead pentester. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fair scope and timeline.