Compliance
HIPAA
Health Insurance Portability and Accountability Act
What we assess
What your HIPAA test covers
We test the systems that actually touch ePHI and map every finding to the HIPAA Security Rule, giving your compliance officer evidence, not a generic scan.
Access & Authentication
Technical safeguards controlling who can reach electronic PHI and how.
We test for
- Unique user identification
- Authentication and MFA
- Access authorization and least privilege
- Automatic logoff
Transmission & Encryption
How ePHI is protected as it moves across and rests within your systems.
We test for
- Encryption in transit and at rest
- Secure transmission controls
- Integrity verification
- Key management
Audit & Integrity Controls
Whether activity on systems holding ePHI is logged and data is protected from tampering.
We test for
- Audit logging and review
- Integrity controls
- Monitoring and alerting
- Tamper detection
Systems Handling ePHI
The applications and infrastructure that store, process, or transmit ePHI.
We test for
- ePHI system inventory
- Application and infrastructure testing
- Vulnerability and patch status
- Business associate systems
How it works
How your engagement runs
From scope through the final retest, your team stays in the loop at every step,
with findings tracked live in our platform.
- 01
Scope ePHI
We identify the systems that store, process, or transmit electronic PHI.
- 02
Test safeguards
We test access, transmission, and audit controls against the Security Rule.
- 03
Mapped report
Findings mapped to the Security Rule as evidence for your compliance team.
- 04
Fix & retest
Fix the findings, then a free retest that strengthens your risk analysis.
Resources
Field notes from the offensive side
Offense in Depth in Red Team Operations
Defense in depth layers protection. Offense in depth layers attack paths so a red team still reaches its objective when one route fails. Here is how it works.
Security Between Penetration Tests
An annual pentest covers two weeks and leaves fifty uncovered. Here is how to secure the rest of the year without waiting for the next scheduled engagement.
The Limits of AI in Penetration Testing
AI is changing penetration testing, but it will not replace human testers. Here is what it does well, where it falls short, and why judgment still wins.
Want to see a real report first?
Request a redacted sample report before you scope an engagement.
01Does HIPAA require a penetration test?
The Security Rule requires a risk analysis and technical safeguards for ePHI but does not prescribe a testing method. A penetration test is a widely accepted way to evidence those safeguards and strengthen your required risk analysis.
02What systems do you test?
The systems that store, process, or transmit electronic PHI, including in-scope applications, infrastructure, and business associate environments where applicable. We confirm scope with you before testing.
03Will this support our risk analysis?
Yes. We map findings to the Security Rule's technical safeguards and provide documentation your compliance officer can use to support the required risk analysis.