HIPAA Shield
Contact
A PRACTICE OF FORTIFY LABS

We prove HIPAA by breaking it.

AI-native penetration testing for healthcare — with every finding mapped to a specific 45 CFR Part 164 citation. 100% on the XBOW public benchmark. 463 proven attack patterns. Built for the compliance officer, the CISO, and the OCR investigator that never calls.

Schedule HIPAA Risk AssessmentSee real findings

Mutual NDA signed before discovery · BAA available on request · Fixed-fee SOW

CriticalHS-2026-014verified · 00:02:47

Cross-tenant read access to 152 organization records via mobile app Firebase backend

Android APK embeds Firebase config. Any anonymous authenticated user could read organization records including tax identifiers and write new documents to production.

§ 164.312(a)(1)§ 164.312(c)(1)§ 164.404
$ curl $FIREBASE_URL/organizations.json
200 OK · 152 docs · cross-tenant: true
Anonymized · real finding · published with consentSee more

Built for procurement, auditors, and OCR

45 CFR Part 164 alignedBAA availableSOC 2 aligned reporting100% XBOW benchmarkHITRUST-ready reports
The healthcare breach landscape — 2024 data
$4.3M
Avg HHS OCR resolution 2024-25
Source: HHS OCR enforcement actions
725
Large breach reports to HHS (2024)
Source: HHS Breach Portal
168M
Individual records exposed (2024)
Source: HHS Breach Portal
$10.93M
Avg total cost of a healthcare breach
Source: IBM Cost of a Data Breach 2024
Live engine output

Every finding speaks the Security Rule.

Our scan engine runs in parallel across recon, auth, access control, injection, audit, and BAA-scope stages. Every finding it emits carries a 45 CFR § citation and a Breach Notification Rule impact flag. This is a real trace, redacted.

hipaa-shield · scan-engine · v2live
[00:00.21] ▸ recon crawl https://app.telehealth-example.com ok 287 routes
[00:14.88] ▸ fingerprint detect framework ok next.js · supabase · twilio video
[00:32.04] ▸ auth role-map patient / clinician / admin ok 5 roles mapped
[01:12.77] ▸ audit-log test §164.312(b) coverage gap mutations missing audit entries
[02:04.18] ▸ idor /api/patients/{id}/encounters FAIL § 164.312(a)(1)
patient_id mutation returns another user’s encounter notes
[02:47.91] ▸ baa-scope sub-processor enumeration FAIL § 164.308(b)(1)
2 analytics pixels receiving ePHI without executed BAA
[03:22.55] ▸ breach-notif § 164.404 impact analysis trigger >500 individual threshold
[03:40.02] ▸ report render evidence pack ok 3 findings · 6 CFR citations · PDF + MD
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
scan complete · 3 critical · 2 high · 11 medium · every finding tied to a Security Rule §
10-agent swarm·463 proven attack patterns·§ citation on every finding
Why HIPAA Shield

A generic pentest won’t hold up in an OCR investigation.

OCR’s enforcement record is consistent: the violations that trigger resolution agreements are almost always Security Rule failures — insufficient risk analysis, inadequate audit controls, missing BAAs, and unpatched technical safeguards. We built HIPAA Shield to surface exactly those.

PHI-pattern aware scanning

The scan engine recognizes PHI patterns — MRN formats, DOB + name + diagnosis, HL7 v2 fields, FHIR Patient resources — and flags every place they can leak, not just generic SQLi or XSS.

Mapped to 45 CFR Part 164

Every finding cites a specific Security Rule standard. Reports are written to satisfy OCR evidence requirements, SOC 2 CC-series controls, and HITRUST CSF simultaneously.

BAA-ready evidence packs

Our deliverables are the format hospital procurement, payer VMS, and state HIE oversight teams actually accept — third-party attestation letter included.

Provable — not marketing

The numbers are in Supabase.

How we verify
100%
XBOW public benchmark
104 / 104 scenarios solved black-box
463
Proven attack patterns
In the Fortify Labs brain, growing weekly
45 CFR
Part 164 coverage
Every finding mapped to a Security Rule §
10
Specialist AI agents
Dispatched in parallel, fresh-context per scan
What we cover

Three pillars. 122 individual checks. One Security Rule.

Our scan engine exercises every subsection of the HIPAA Security Rule that is technically testable from a live environment. Controls that are procedural — like workforce training — are assessed via evidence review in the Administrative tier.

See the full coverage map
45 CFR § 164.308

Administrative Safeguards

Risk analysis, workforce access management, security incident procedures, contingency planning, and evaluation.

41 individual checks in this section
45 CFR § 164.310

Physical Safeguards

Facility access controls, workstation use and security, device and media controls — including disposal and re-use.

18 individual checks in this section
45 CFR § 164.312

Technical Safeguards

Access control, audit controls, integrity, person-or-entity authentication, and transmission security. The section where most findings live.

63 individual checks in this section
Healthcare-specific findings

The patterns that actually show up in healthcare SaaS.

We seeded our attack brain with healthcare-specific patterns: PHI detectors, FHIR misconfigurations, patient portal IDOR templates, BAA scope checks, and the mobile-app-backend asymmetries that let external attackers walk through the front door.

PHI exposure in mobile & web backends

§ 164.312(a)(1), 164.312(c)(1)

Firebase, Supabase, DynamoDB, and S3 misconfigurations that expose patient records, payouts, EOBs, and lab results to unauthenticated or cross-tenant access.

Patient portal IDOR & cross-patient access

§ 164.308(a)(4), 164.312(a)(1)

Horizontal privilege escalation where one patient can read another's encounters, messages, or prescriptions by changing a numeric ID.

Audit log gaps (Security Rule §164.312(b))

§ 164.312(b)

Missing or tamperable audit trails on ePHI access. OCR cites this in nearly every HIPAA enforcement action.

HL7 / FHIR endpoint misconfiguration

§ 164.312(e)(1)

Unauthenticated FHIR R4 endpoints, overly permissive SMART on FHIR scopes, and HL7 v2 listeners exposed to the public internet.

Telehealth session & recording leakage

§ 164.312(e)(2)(ii)

Twilio/Vonage/Zoom For Healthcare misconfigurations, unindexed recording buckets, WebRTC TURN misconfiguration leaking participant IPs.

BAA scope gaps & sub-processor leaks

§ 164.308(b)(1), 164.314(a)

ePHI flowing to sub-processors without executed BAAs — analytics, error tracking, LLM APIs, and marketing pixels are the usual suspects.

The healthcare attack surface

Where PHI flows. Where it leaks. Which § governs each step.

Every healthcare application pushes patient data across the same six-layer topology. Our scan engine probes each node and maps the finding to the Security Rule section that owns it. This is the signature — no other HIPAA vendor, and no generic pentest firm, produces this map.

§ 164.308 · ADMINISTRATIVE§ 164.312(a) · ACCESS CONTROL§ 164.312(b) · AUDIT + § 164.404 · BREACHPatientbrowser / mobilePortalNext.js / SPAAPI GatewayFHIR / GraphQLIDOR§ 164.312(a)(1)PHI DatabasePostgres / FirestoreRLS gap§ 164.312(c)(1)Audit Logtamper-resistant?incomplete§ 164.312(b)Sub-processorFirebase / Sentryno BAA§ 164.308(b)(1)One scan · every node probed · every finding mapped to 45 CFR Part 164
safepartialexploitablerendered from a real scan signature, sanitized
“A generic pentest produces CVSS scores. OCR calls those audit findings. HIPAA Shield produces both.”
The operating principle behind every report.
Engagement options

Four paths, priced for healthcare procurement.

Every engagement is scoped on a discovery call and priced against a fixed SOW — no hourly rates, no surprise add-ons.

Full service detail

HIPAA Security Risk Assessment

$15,000one-time
Satisfies 45 CFR § 164.308(a)(1)(ii)(A)

The formal Risk Analysis that the Security Rule requires every covered entity and business associate to conduct. Scoped, documented, and defensible.

  • Asset & ePHI flow inventory
  • Threat and vulnerability assessment
  • Likelihood and impact rating
  • Remediation roadmap + evidence pack
Schedule scoping call
Most common

Annual HIPAA Pentest

$25,000annual
SOC 2 + HIPAA + HITRUST aligned

External + authenticated testing against the production environment. Evidence-grade report suitable for auditors, BAA counterparties, and the board.

  • 10-agent AI swarm + human reviewer
  • Authenticated multi-role testing
  • Every finding mapped to a Security Rule citation
  • Retest included for remediated findings
Schedule scoping call

Continuous Monitoring

$35,000per year
164.308(a)(1)(ii)(D) Information System Activity Review

Monthly scans, quarterly reports, and an incident response retainer. Designed for covered entities and BAs with active PHI workflows and frequent change.

  • 12 scheduled scans per year
  • Quarterly executive briefings
  • Incident response retainer (8hr SLA)
  • Slack/Teams integration for findings
Schedule scoping call

BAA-Ready Assessment

$50,000engagement
Evidence for Business Associate contracts

Formal assessment for Business Associates who need to satisfy covered entity diligence — including enterprise health systems, payers, and MSOs.

  • Covered entity-facing evidence pack
  • Third-party attestation letter
  • Compliance gap remediation plan
  • Optional HITRUST readiness add-on
Schedule scoping call
The Fortify Labs brain

463 proven attack patterns. Healthcare-hardened.

HIPAA Shield shares the same compound-learning scan engine that powers VibeArmor, our SaaS security product. That engine scored 100% on the public XBOW benchmark — the only public measurement of AI pentesting capability today.

For HIPAA Shield, the brain is layered with healthcare-specific beliefs: PHI detection patterns, FHIR/HL7 misconfiguration templates, patient portal IDOR sequences, and BAA scope gap checks. Every engagement adds new beliefs that compound across the practice.

Brain composition (live)
Total proven patterns
463
XBOW benchmark score
100%
Attack agent specialists
10
Healthcare-specific beliefs
12+
Framework coverage
FHIR / HL7 / Epic / Cerner
Who the report speaks to

Three readers. One deliverable each gets exactly what they need.

The same engagement produces three audience-tuned outputs. Your CCO gets the Risk Analysis artifact. Your CISO gets the technical remediation roadmap. Your BAA counterparty gets the attestation letter. One scan, three procurement conversations closed.

For the

Chief Compliance Officer

The buyer who gets the OCR letter

Needs audit-defensible evidence that satisfies § 164.308(a)(1)(ii)(A) Risk Analysis.

What they receive
  • Formal Risk Analysis document
  • Every finding mapped to a CFR §
  • Breach Notification Rule impact
  • Third-party attestation letter
For the

CISO / VP of Security

The buyer who gets the exploit

Needs to see the actual vulnerabilities and remediation guidance engineering can ship.

What they receive
  • CVSS 4.0 + CWE mapping per finding
  • Reproduction steps & curl receipts
  • Prioritized remediation roadmap
  • Retest on remediated findings
For the

Hospital Procurement / BAA counterparty

The buyer who signs your BAA

Needs third-party evidence before executing a Business Associate Agreement.

What they receive
  • BAA-ready evidence pack
  • Sub-processor + BAA map
  • Policy evidence review
  • Up to 10h procurement support
Frequently asked

Questions healthcare buyers actually ask.

Is this a HIPAA Security Risk Assessment or a penetration test?

Both — and we scope accordingly. Every engagement begins with a discovery call to determine whether you need the formal Risk Analysis required by 45 CFR § 164.308(a)(1)(ii)(A), an external or authenticated pentest, or a combined assessment. Our reports are written to satisfy either evidence standard.

Do you sign a Business Associate Agreement?

Yes. HIPAA Shield signs a BAA before any engagement that involves access to ePHI. We do not access live PHI when a synthetic dataset will satisfy the testing objective, and we document that decision in the scoping memo.

What states' privacy laws do you cover?

The report includes state-level notification and privacy-law impact for every state where you store or process records. California (CMIA, CCPA/CPRA), Texas (Ch. 181), New York (SHIELD Act), Illinois (PIPA/BIPA overlap), and Massachusetts (201 CMR 17.00) get particular scrutiny given their active AG enforcement.

How do you avoid touching real PHI during testing?

By default we test against staging with synthetic datasets your team provides. Where production testing is necessary, we use read-only access, scoped test accounts, and work with your compliance team to stay inside the minimum-necessary rule (§ 164.502(b)).

Can you produce evidence a hospital procurement team will accept?

Yes. Our BAA-Ready Assessment produces a third-party attestation letter, findings mapped to 45 CFR Part 164, and a remediation ledger — the format health system security teams and payer procurement groups typically ask for.

How is this different from a generic SaaS pentest?

A generic pentest produces CVSS scores and OWASP categories. Ours produces CVSS scores, OWASP categories, AND a Security Rule citation for each finding — plus a Breach Notification Rule (§ 164.404) impact analysis for findings that touch ePHI. That is what OCR and your procurement counterparties care about.

A single PHI breach averages $10.93M.
Find them first.

Schedule a 30-minute scoping call. We’ll map your architecture to the Security Rule, identify which tier makes sense for your footprint, and provide a fixed-fee SOW within 48 hours.

Schedule a scoping callEstimate your breach cost

Mutual NDA signed before discovery • BAA available on request • Fixed-fee SOW