Clinical Security Testing.
Zero Patient Impact.
Production-safe penetration testing across the complete healthcare IT stack : EHR systems, clinical messaging, FHIR APIs, medical imaging, IoMT devices, and endpoint networks : with built-in HIPAA, ADHICS, and NCA regulatory mapping.
Four Constraints No Other Industry Faces Simultaneously.
Life-Safety Systems
Systems controlling patient care cannot be taken offline or destabilized. Every test runs in observation mode first, and active interaction requires explicit per-target approval from clinical operations.
PHI at Every Layer
Protected Health Information touches every system : from EHR databases to DICOM image headers to HL7 message payloads. Tooling is configured to detect, flag, and never retain PHI in test artifacts or logs.
Legacy Without Patches
Devices and interfaces running decade-old firmware cannot be updated due to FDA clearance constraints or vendor lock-in. Testing quantifies exposure and isolates risk without triggering exploits that could affect device behavior.
Regulatory Complexity
HIPAA, HITECH, ADHICS, NCA, FDA device cybersecurity guidance, and GDPR Article 9 apply simultaneously : often to different systems within the same facility. Findings are mapped to the specific control that applies to each target.
Six Clinical Layers. Tested in Sequence.
Select a layer to see what gets tested, how, and which regulations require it.
EHR / EMR Systems
Epic · Cerner · Oracle Health
- Authentication bypass and session token forgeability across patient record boundaries
- Privilege escalation: clinician-to-admin, read-to-write, and cross-department record access
- Audit log integrity : whether log entries can be suppressed, modified, or back-dated
- HL7 v2 feed manipulation from within a connected interface engine
- Legacy interface security: VPN-less HL7 tunnels, unencrypted ADT listeners
- Role-based access control validation against defined clinical roles
Broken Access Control : Cross-Patient Record Read
Unauthenticated parameter substitution returns full patient records for any numeric patient ID, bypassing all role checks. No audit entry generated on read.
HL7 v2.x & Integration Engines
Mirth Connect · Rhapsody · Cloverleaf · InterSystems HealthShare
- ADT message injection: forged admit/discharge/transfer events into live feeds
- ORM order manipulation: unsolicited lab or medication orders inserted mid-channel
- MDM document spoofing: substituting clinical document references in transit
- MLLP plaintext transport validation : interface listeners on unencrypted TCP sockets
- Interface engine authentication and admin console access control
- Message replay attacks: replaying signed ADT messages from captured traffic
Unauthenticated MLLP Listener : Unrestricted Message Injection
Any host on the internal network can inject syntactically valid HL7 v2 ADT messages. Orders and discharge events were accepted and propagated to downstream EHR without rejection or alerting.
FHIR R4 & SMART-on-FHIR
Bulk data endpoints · Patient-facing apps · Third-party app ecosystem
- OAuth scope over-permission: requesting broader scopes than app function requires
Patient/$everythingabuse : returning full record set without per-resource authorization- Bulk data export authorization: whether
Group/$exportenforces membership controls - FHIR search parameter injection: chained parameters and reverse chaining across resource types
- Resource-level access control and patient compartment enforcement
- 21st Century Cures Act information-blocking compliance validation
SMART Scope Grants Access to All Patient Records
A patient-scoped OAuth token accepted a patient/*.read scope at authorization. The $everything operation returned records for all registered patients rather than the authenticated individual.
DICOM & PACS Systems
Radiology PACS · DICOM modality worklist · Web-based PACS portals
- Unauthenticated DIMSE operations: C-STORE, C-FIND, and C-MOVE without AE title validation
- Patient study retrieval without authentication from internal network segments
- DICOM tag injection : patient ID and study UID spoofing via crafted C-STORE messages
- PACS web portal authentication: session management, password policy, account enumeration
- TLS validation for DIMSE-TLS and DICOMweb (WADO-RS, STOW-RS, QIDO-RS) endpoints
- Imaging system network exposure from clinical VLANs and guest networks
Unauthenticated DICOM C-MOVE : Arbitrary Study Export
C-MOVE requests accepted from an unenrolled AE title and routed full imaging studies to a tester-controlled DICOM SCU. No audit event logged. 14,000+ study UIDs enumerable via C-FIND without credentials.
IoMT & Medical Devices
Infusion pumps · Ventilators · Patient monitors · Imaging equipment
- Clinical VLAN isolation validation : device-to-device and device-to-server reachability mapping
- Device reachability from patient-facing WiFi and visitor networks
- Default credential exposure on device management interfaces (web, SNMP, SSH, Telnet)
- Unencrypted protocol identification: Telnet, FTP, HTTP management, SNMP v1/v2c
- Remote management attack surface : vendor support backdoors and undocumented services
- Firmware version disclosure and CVE correlation against device inventory
Medical Device Reachable from Patient WiFi VLAN
Patient WiFi VLAN routes directly to the clinical device management subnet. Infusion pump web interface reachable over port 80 with default credentials intact. No firewall rule blocks lateral movement from patient devices.
Clinical Workstations & Networks
Windows clinical workstations · Kiosk terminals · Clinical VPN · RDP/remote access
- Shared account abuse : shared “nurse station” credentials: scope of access and audit attribution
- Auto-login and kiosk bypass: reaching administrative functions from locked-down terminals
- USB and removable media policy enforcement on clinical workstations
- Session timeout enforcement : unattended workstation re-authentication requirements
- RDP and remote access exposure: NLA enforcement, credential spraying surface, exposed gateways
- Workstation-to-workstation lateral movement within clinical subnets
Shared Clinical Account : No Session Timeout Enforced
Shared domain account used across 23 workstations with no session timeout configured. Active EHR sessions persist indefinitely after clinician departure. Audit log attributes all actions to a single non-attributable account identity.
Every Finding Tagged to Your Regulatory Obligation.
Healthcare operates under layered regulation. Findings from each clinical layer are automatically mapped to the specific section that applies : not just the regulation name.
§164.312 mandates technical safeguards covering access control, audit controls, integrity controls, and transmission security. Each sub-section maps directly to a testable control: unique user identification (a)(2)(i), automatic logoff (a)(2)(iii), encryption and decryption (a)(2)(iv), and audit log generation (b).
Expanded PHI protection scope beyond covered entities to business associates and their subcontractors. Introduced tiered breach notification requirements and substantially increased civil monetary penalties : up to $1.9M per violation category per year : making the detection of unauthorized access findings more commercially significant.
Pre-market guidance requires manufacturers to submit a Software Bill of Materials (SBOM) and a cybersecurity management plan. Post-market guidance requires coordinated vulnerability disclosure processes and documented patch management. Network-connected devices cleared after October 2023 must comply with the Consolidated Appropriations Act cybersecurity provisions.
The Abu Dhabi Healthcare Information and Cyber Security Standard is mandatory for all entities licensed by the Department of Health Abu Dhabi. Version 2.0 maps to 18 domains covering access management, network security, application security, and incident response : each with numbered controls referenced directly in findings reports.
The National Cybersecurity Authority’s Critical Systems Cybersecurity Controls apply to healthcare entities designated as critical national infrastructure. Controls span governance, risk, asset management, physical security, and technical controls for both IT and OT/IoMT environments within Saudi-based healthcare facilities.
Health data is a special category under GDPR, subject to stricter processing conditions than standard personal data. Article 9(2)(h) permits processing for medical purposes under professional secrecy obligations. Breach notification timelines (72 hours to supervisory authority) and the requirement for a Data Protection Impact Assessment apply to healthcare IT systems handling EU patient data.
Production-Safe by Protocol, Not Just Policy.
Read-Only Test Mode First
Every engagement begins with passive observation and non-destructive enumeration: port mapping, banner collection, protocol identification, and traffic analysis. Active testing : including any attempt to authenticate, inject, or interact with a system : requires explicit scope approval for each individual target system before it begins.
PHI-Aware Tooling
Test tooling is configured with PHI pattern detection covering common identifiers: patient name formats, date-of-birth strings, SSN patterns, MRN formats, and diagnosis code fields. Any captured traffic or response body matching PHI patterns is flagged and anonymized before being written to test artifacts. PHI is never retained in reports, logs, or exported findings.
Clinical Coordination Required
All testing windows are coordinated with clinical operations, biomedical engineering, and IT on-call staff. A defined kill-switch protocol is active for the engagement duration: a single point of contact on the clinical side can halt all active testing activity within two minutes. No testing proceeds during high-census periods or declared operational downtime without explicit written approval.