Can your pentest evidence support HITRUST certification?

Yes. HITRUST authorized assessors accept our reports as evidence for i1 and r2 certifications. We pre-map findings to HITRUST controls.

Do you test FDA-regulated medical devices?

Yes. Premarket cybersecurity per 2023 FDA guidance, AAMI TIR57 alignment, and postmarket coordinated vulnerability disclosure support.

Healthcare & Life Sciences

HIPAA, HITRUST & Healthcare Penetration Testing

Pentest evidence that survives an OCR investigation.

CredShields delivers HIPAA-aligned penetration testing for digital health platforms, EHR vendors, telehealth, healthtech SaaS, clinical research platforms, and life sciences manufacturers. HIPAA Security Rule, HITRUST CSF, FDA cybersecurity guidance, and state-by-state breach notification framing built into every report.

Frameworks We Map To

HIPAA Security Rule (164.308, 164.312)

HITRUST CSF (i1, r2)

FDA Premarket Cybersecurity (2023)

HIPAA Privacy Rule (incident framing)

State breach notification laws

GxP / 21 CFR Part 11 (clinical systems)

01 // WHAT MAKES HEALTHCARE DIFFERENT

PHI exposure events have a 12-month tail measured in regulatory letters, not Slack messages.

A pentest finding involving PHI is not a Slack-channel incident. It's a tracked event with documented impact assessment, OCR notification calculus, state-level breach notification thresholds, business-associate-agreement implications, and patient-notification language committee review. The compliance machinery is heavier than any other industry except possibly banking. Our reports document scope decisions, exposure assessment methodology, and remediation timelines specifically to support that machinery, not just the engineering team.

PHI exposure paths via FHIR, HL7, and proprietary APIs
Patient portal IDOR and cross-patient enumeration
EHR integration security (Epic, Cerner, athenahealth, MEDITECH)
Telehealth session security and recording protection
Clinical research platform isolation between studies
IoT medical device integration risks (FDA premarket cyber)

Common healthcare findings

CRITICAL  PHI exposure via FHIR _has parameter
  GET /Patient?_has:Encounter:patient:status=
  → cross-patient query enumeration
  // HIPAA 164.312(a)(1) violation

CRITICAL  Patient portal IDOR on /messages
  GET /api/messages/{thread_id}
  → arbitrary patient message readable
  // HIPAA Privacy Rule, state law

HIGH      ePHI in CloudWatch logs (production)
  Patient names, DOBs in error logs
  → 60+ day retention, no encryption
  // HIPAA 164.312(e)(2)(ii)

HIGH      MyChart-equivalent token reuse
  Refresh tokens valid post-logout
  → session persistence after revocation
  // HIPAA 164.312(d), HITRUST CC.04

02 // OCR-AWARE REPORTING

Reports designed for the third reader: the OCR investigator who arrives 14 months later.

If OCR opens an investigation, the auditor will request your pentest reports going back several years. They will read them looking for patterns: were findings tracked, was remediation timely, was scope appropriate, did your security program demonstrate due care. We write reports with that future reader in mind. The methodology, scope decisions, and remediation evidence are documented in the language and structure that OCR investigators recognize from prior consent decrees and resolution agreements.

Findings mapped to HIPAA 164.308 administrative and 164.312 technical safeguards
Scope decisions logged with rationale and named approver
Remediation evidence with timeline reconstruction support
Methodology document referenceable in OCR responses and BAA reviews

HIPAA mapping (sample finding)

FINDING: ePHI in production logs

HIPAA Security Rule
  · 164.312(a)(1)  Access control
  · 164.312(b)     Audit controls
  · 164.312(c)(1)  Integrity controls
  · 164.312(e)(1)  Transmission security
  · 164.308(a)(1)  Security mgmt process
  · 164.308(a)(8)  Evaluation

HITRUST CSF
  · CC.04.01  Logging and monitoring
  · CC.06.04  ePHI in non-prod
  · MP.06     Information protection

FDA Premarket (if device)
  · Authentication / Authorization
  · Cybersecurity Risk Mgmt File

State Notification Triggers
  · CA Civ. Code 1798.82
  · TX Bus. & Comm. § 521.053
  · 50-state matrix attached

→ Single finding, multi-framework
  evidence package. OCR-ready.

Regulatory Reality

OCR fines run to millions per incident, but the operational damage is bigger.

OCR resolution agreements regularly reach $1M to $16M per incident with multi-year corrective action plan obligations. The dollar fine is rarely the largest cost. Operational restrictions, leadership accountability, BAA renegotiation pressure, and patient-trust damage drive the long-tail consequences. The cheapest investment a healthcare security program makes is documented, defensible pentest evidence with appropriate methodology and scope. Our work is structured around that calculus.

Coverage by Healthcare Sub-Vertical

Specialized testing for healthcare surfaces.

Digital Health & Telehealth

Patient portal security, telehealth session protection, prescription flow integrity, asynchronous messaging IDOR. State-by-state telehealth regulatory framing.

EHR & HealthTech SaaS

FHIR / HL7 integration security, Epic / Cerner / athenahealth integration patterns, multi-tenant clinical data isolation, BAA boundary testing.

Clinical Research Platforms

Study isolation, IRB-relevant access controls, GxP / 21 CFR Part 11 audit trail integrity, eCRF and source-data verification security.

Pharma Manufacturing IT

Manufacturing execution systems, LIMS, quality systems, GxP integration. Often co-scoped with cloud security review.

Medical Devices & IoT

FDA premarket cybersecurity per 2023 guidance, medical device integration with EHRs, device firmware update mechanisms, post-market vulnerability disclosure.

Health Plans & Payers

Member portals, claims processing, provider directory APIs. Cross-cutting overlap with fintech (payment) and SaaS (multi-tenant).

Frequently Asked

Common questions, answered.

Is a pentest enough to satisfy HIPAA Security Rule requirements?

Pentest is one part of HIPAA evaluation requirements (164.308(a)(8)) but not the entire program. You also need risk analysis, policy and procedure documentation, BAA management, workforce training, incident response, and other administrative safeguards. We are the technical-evaluation component. We work with your compliance counsel and HIPAA consultants who manage the broader program.

Can your pentest evidence be used in HITRUST CSF certification?

Yes. HITRUST authorized assessors regularly accept our pentest reports as evidence supporting HITRUST i1 and r2 certifications. Specific control domains where our evidence applies: CC.04 (logging), CC.06 (ePHI handling), MP.06 (information protection), and others. We pre-map findings to HITRUST controls to reduce auditor translation work.

Do you have a Business Associate Agreement (BAA)?

Yes. We sign HIPAA BAAs with all healthcare clients before any environment access is provisioned. Our BAA template is HHS-compliant and we negotiate redlines with reasonable flexibility. Healthcare engagements typically include BAA execution as a prerequisite to scoping discussions.

How do you handle PHI exposure during testing? Can you avoid PHI entirely?

We strongly prefer test environments with synthetic PHI. Real-PHI environments are tested only with explicit written authorization, narrowly scoped permissions, and incident-response procedures pre-agreed. Findings involving PHI are documented in a redacted-by-default format. We also offer separate sanitized vs raw versions of reports for different audiences.

Can you test FDA-regulated medical devices and SaMD (Software as Medical Device)?

Yes. We support premarket cybersecurity testing per the 2023 FDA guidance, including testing aligned to AAMI TIR57 and the FDA's recognized standards list. For postmarket cybersecurity, we support coordinated vulnerability disclosure planning and testing in support of CVE assignment workflows.

How do you handle multi-state breach notification analysis?

We don't provide legal advice and we are not your counsel. We do provide the technical evidence (which records were exposed, what data elements, when, by whom, with what evidence) that your counsel needs to perform breach notification analysis. The output is a 50-state-aware exposure assessment that supports your counsel's notification decisions, not a substitute for them.

Do you test integrations with our EHR vendor (Epic, Cerner, athenahealth)?

Yes, with caveats based on the integration model. We test the integration boundary on your side: SMART on FHIR app security, OAuth/OIDC flow handling, FHIR query authorization, returned-data handling. We do not test the EHR vendor's systems directly without their authorization, which is rare to obtain. The integration boundary is usually where the interesting findings live anyway.

Are you experienced with GxP and 21 CFR Part 11?

Yes, for clinical research platforms, eCRF systems, and clinical trial-supporting infrastructure. Our methodology accommodates GxP requirements: documented testing procedures, audit-trail integrity validation, electronic signature flow testing. We work alongside GxP validation specialists rather than replacing them.

How does this work for healthtech startups still pre-revenue?

We work with venture-stage healthtech companies regularly. Engagement scoping reflects the size of the application and the regulatory urgency. A pre-revenue digital health platform that hasn't yet processed PHI may scope to a 1-2 week engagement at $12K-$18K. Once you're processing real PHI, the engagement matures along with the regulatory exposure.

Ready to ship secure?

Talk to a senior engineer who has worked with companies in your industry. No SDR script, no slide deck. Just a working session about your stack and your compliance posture.

HIPAA, HITRUST & Healthcare Penetration Testing

Pentest evidence that survives an OCR investigation.

PHI exposure events have a 12-month tail measured in regulatory letters, not Slack messages.

Reports designed for the third reader: the OCR investigator who arrives 14 months later.

OCR fines run to millions per incident, but the operational damage is bigger.

Specialized testing for healthcare surfaces.

Common questions, answered.

Continue exploring

The pentest your auditor will accept.The findings your engineers will fix.

The pentest your auditor will accept.
The findings your engineers will fix.