Yes. A standard HIPAA Business Associate Agreement is executed before engagement kick-off. All PHI is handled inside the encrypted boundary, with PHI-handling notes per finding and a documented destruction step at engagement close.

Will you break our EHR or shift workflow?

No. Engagements are scheduled to your maintenance window. Invasive tests run on non-prod replicas; live-prod is touched only for read-mode probing. Clinical-ops blackout windows are written into the SOW.

Do you cover FHIR + HL7 v2 + DICOM?

Yes. All three. Plus the integration engine between them — Mirth Connect, Rhapsody, NextGen Connect, or your vendor equivalent. Patient portal, mobile health app, telehealth WebRTC, and bedside / connected-device pivots covered where in scope.

Is the report HIPAA-ready?

Yes. CREST-mapped severity, PHI-handling notes per finding, a regulator-ready PDF accepted across HIPAA, HITRUST CSF, SOC 2 Type II, and ISO/IEC 27001 review cycles. CERT-In empanelled signature for Indian filings.

Do you include a re-test?

Yes. Free re-test of the same scope after fixes ship. Written closure per finding, signed by the engagement lead. The PHI-exfil transcript is replayed against the patched system; closure only signs when the path is gone.

Pentests for FHIR, HL7, and the EHR.Without breaking the shift.

PHI moves through FHIR, HL7 v2, and telehealth WebRTC streams that audit checklists treat as black boxes. Our pentests open them: FHIR resource over-exposure, HL7 integration-engine tampering, and live WebRTC PHI leaks. Reports accepted by HIPAA, HITRUST, SOC 2, and ISO 27001 auditors.

HIPAA BAA standard · CERT-In empanelled · PHI-handled engagement

See the PHI attack paths

Four healthtech surfaces — FHIR, HL7, EHR/SSO, telehealth — converging on a chained PHI-exfil proof-of-exploit at the centre.

Three ways we test healthtech.

Pick the engagement that matches the surface. FHIR R4 endpoints, EHR SSO paths, and clinical copilots each fail differently. So we test them differently.

BugDazz Autonomous

Continuous coverage of FHIR R4 and HL7 v2 endpoints between human engagements. Catches PHI exposure drift the day a scheduling API ships, not at the next HITRUST cycle.

See BugDazz

Red team engagement

Multi-week adversary emulation across EHR, billing APIs, and telehealth WebRTC. Tests whether your SOC catches the path a ransomware operator actually traverses.

Brief a red team

AI and LLM pentest

Tests clinical scribes, patient chatbots, and summary copilots for prompt injection, PHI exfil chains, and over-prescription manipulation. HIPAA and SOC 2 evidence included.

See AI pentest

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why a HIPAA gap-assessment isn't a pentest

A control marked present is not a path closed.

HIPAA gap-assessments check whether a control exists. A pentest reports what an attacker can do with that control in place. We chain FHIR consent boundary drift, HL7 v2 integration-engine tampering, and telehealth WebRTC TURN abuse into a working proof-of-exploit your CISO and clinical-ops team can act on, then re-test until every PHI path is closed.

Two columns: HIPAA controls marked present on the left, the chained PHI-exfil path each one becomes on the right.

IN SCOPE.

Eight categories. Every PHI-touching surface in the stack.

FHIR, HL7 v2, EHR/SSO, telehealth, bedside devices, DICOM, the patient portal, and the mobile health app. The chain an attacker walks is rarely one of these alone.

FHIR APIs

Resource over-exposure across patient consent, search-parameter abuse, bulk-export drift.

HL7 v2 integration

Message tampering at the integration engine, MLLP injection, ADT/ORU forgery (Mirth, Rhapsody, NextGen Connect).

EHR + SSO

Session takeover via OAuth, SAML signature wrap, scope drift across charting and ordering.

Telehealth + WebRTC

TURN server PHI leakage, SDP injection, recording-bucket exposure, session-record exfil.

Bedside + DICOM

Infusion-pump CAN/serial pivot, vital-sign monitor MQTT abuse, DICOM service injection, study-UID tampering, anonymization bypass.

Patient portal + mobile

PHI IDOR, password-reset replay, MFA-fallback abuse, parent-proxy boundary, biometric bypass, deep-link auth, Keychain/Keystore drift.

HEALTHTECH ATTACK SURFACE.

What an attacker chains to walk PHI out of a modern healthtech stack.

01
FHIR resource over-exposure
Patient consent boundary drift, search-parameter abuse, bulk-export sub-resource leak — cross-patient read from a single low-scope token.
02
HL7 v2 ADT tampering
Integration-engine message rewrite, MLLP injection at the listener, ADT^A40 forgery merges patient identities and rewrites order history.
03
EHR SAML signature wrap
XML signature wrap on the SSO assertion, scope drift from a charting role into the ordering role, prescription write-path reached without a clinician seat.
04
Telehealth WebRTC TURN exfil
TURN server allocated on an untrusted relay, SDP injected to redirect media, encounter audio and screen-share PHI walked off to attacker storage.
05
DICOM service injection
C-STORE accepted from a forged AE title, study-instance UID tampering replaces an oncology study mid-read, anonymization layer bypassed on export.
06
Patient portal IDOR
Guardian/parent-proxy boundary collapses on a sibling record, MFA-fallback path replayed, full PHI history rendered to the wrong account.
07
Bedside MQTT pump command
Connected infusion pump on a flat clinical VLAN, MQTT broker abused for a control-plane write, dosage command crafted without the pump console.

PHI-EXPOSURE PATHS WE TEST.

HEALTHTECH PENTEST METHODOLOGY.

Eight phases. PHI-handled, closed-loop.

Scoped to your HIPAA boundary, EHR vendor flow, integration engine, and patient-facing surfaces. Not a template we run against every healthcare client.

01
HIPAA + HITRUST scope mapping
02
FHIR + consent boundary
03
HL7 v2 + integration engine
04
EHR + SSO chain
05
Telehealth + WebRTC
06
Bedside / DICOM pivot
07
Chained finding + HIPAA-grade report
08
Free re-test + detection handoff

Meet our expert

John Dill

vCISO at SecureLayer7

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

John scopes healthtech engagements against your HIPAA boundary, EHR vendor flow, and clinical-ops blackout windows. He guides the pod from kick-off through final report and re-test.

Scopes FHIR, HL7 v2, EHR/SSO, telehealth, and bedside engagements against your real PHI flow.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every PHI-exfil path.
Drives remediation review and re-test until every PHI path is closed and your CISO has written closure.

SL7 Lab. Published CVE research.

Ready to scope a healthtech pentest? Book 30 minutes with John to walk through your HIPAA boundary, EHR vendor flow, and clinical-ops window.

Book a 30-min call

Common procurement questions

What buyers ask about healthtech penetration testing.

Six questions procurement, compliance, and clinical-ops teams send before signing a healthtech pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Have a procurement question not listed here?

Partner tear-sheet

Hand a 2-page HealthTech tear-sheet to the buyer.

A printable summary your partner can drop into a pitch deck: named HealthTech threats, methodology, compliance mapping, and the engagement leads to call. Saves as PDF from the browser.

Open the tear-sheet Download PDF

Sample healthtech pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample healthtech report: full PHI-exfil kill chain, working PoC traces, FHIR / HL7 / EHR fix guidance, and re-test scope. Sent on request after a 5-minute scoping call.