Skip to content
Cyber ArmyCyber Army
ServicesSurace Monitor

Healthcare

We help providers, payers, and digital health teams protect patient data and continuity of care. Our focus: HIPAA-minded testing, PHI data-flow reviews, SMART on FHIR/API security, cloud hardening, and ransomware readiness.

Why it matters

  • • Safeguard PHI and maintain patient trust
  • • Reduce ATO/phishing and fraud against patient/portal accounts
  • • Harden APIs and integrations (EHR, HL7 v2, FHIR/SMART)
  • • Prevent data leakage via logs, backups, and cloud storage
  • • Prepare for ransomware: minimize blast radius and speed recovery
  • • Produce audit-friendly evidence for stakeholders and assessors

What we test

  • Authentication & authorization: portal logins, MFA/step-up, session management, RBAC/entitlements (patients, clinicians, admins), account recovery.
  • APIs & integrations: object-level authZ (BOLA/BFLA), input validation, rate-limiting/abuse controls, webhook signatures, SMART on FHIR scopes/consent, token handling, app registration.
  • PHI data flows & storage: PHI in URLs, logs, analytics, crash reports, backups/snapshots; encryption at rest/in transit; tokenization/minimization.
  • Cloud & identity: least-privilege IAM, public exposure sweeps, KMS, audit logging, network segmentation, secret hygiene in CI/CD and images.
  • Mobile apps (iOS/Android): MASVS-aligned checks, cert pinning, device trust, secure storage, hooking/mitm resistance, clipboard and screenshot hygiene.
  • Operational resilience: backup/restore drills, immutable copies, access to care in degraded modes, alerting/ monitoring for exfiltration and insider risk.

PHI handling & BAA

We are not a HIPAA auditor, but we test and report with HIPAA safeguards in mind and can execute a Business Associate Agreement (BAA) when required.

  • • PHI minimization; anonymized/redacted evidence by default
  • • Encryption in transit and at rest; segregated per-client storage
  • • Short-lived, least-privilege test credentials and auditable access
  • • Time-bound retention with secure purge upon closure
  • • Findings mapped to administrative/technical safeguards where relevant
  • • NDA/ROE and change windows for safe production testing

Ransomware & patient safety

Modern campaigns often exfiltrate data before encryption. We assess blast radius and recovery speed: segmentation, least privilege, EDR, offline/immutable backups, and monitoring for unusual archiving/ exfiltration.

  • Segment clinical systems from corporate IT; limit east-west movement
  • Phishing-resistant MFA for admins and remote access; disable legacy auth
  • Backups that survive an attack; routine restore drills
  • Harden RDP/SSH/VPN; patch exposed services; macro/script controls

Sample test cases

  • Access another patient’s records via FHIR resource IDOR (BOLA)
  • Bypass step-up MFA for high-risk actions (change contact, share records, export)
  • PHI leakage in logs/analytics/crash reports; PHI in query strings and referrers
  • Webhook replay or signature bypass (lab results, appointment events)
  • Publicly exposed storage or snapshots containing ePHI
  • Mobile: missing cert pinning, insecure local storage, rooted/jailbroken bypass

What you get

  • • Proof-of-exploit with safe, redacted evidence
  • • Reproduction steps and fix-first guidance with code/config examples
  • • Severity and business impact aligned to healthcare risk
  • • Executive summary + audit-friendly artifacts
  • • Rapid re-test to verify remediation
  • • Optional mapping to HIPAA safeguards / SOC 2 / ISO 27001

Who we’re best for

Hospitals and clinics, telehealth and remote monitoring, digital health SaaS, payers and TPAs, EHR/HL7/FHIR integrators, and platforms with patient portals or clinician apps.

Request a healthcare proposalView pricingExplore all services