Healthtech penetration testing

Research-led healthtech pentest, EHR, FHIR, telehealth.

CREST-accredited researchers test healthtech stacks the way attackers and auditors do: PHI exfil paths, FHIR API abuse, EHR integration seams, telehealth video chain, mobile-to-API exploits, and HIPAA plus GDPR overlap.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Healthtech pentests get tested twice: by attackers and by auditors. Most reports survive neither.

  • Templated pentests miss PHI-exposure chains across FHIR APIs, EHR integrations, and patient-portal mobile apps.

  • BAA-covered scope seams blur when SMART on FHIR partners, telehealth vendors, and EHR systems get tested separately.

  • Reports passing internal review still get bounced by OCR audit and GDPR Article 32 reviewers for missing PHI-path evidence.

Here is what we ship.

Why teams pick us

PHI paths, not CVE lists.

  • PHI-path tagged findings

    Each finding ships with the path from attacker to PHI. OCR and Article 32 file accepts directly.

  • FHIR and SMART on FHIR

    OAuth scope abuse, FHIR Bundle injection, Patient.read scope creep, SMART app authorisation bypass.

  • HIPAA plus GDPR mapped

    Findings tagged to 164.308 and 164.312, plus GDPR Article 32 technical measures.

How it works

From PHI flow to report in two to three weeks.

  1. Scope to PHI flows

    Tell us PHI stores, FHIR API surface, EHR integrations, telehealth chain, and BAA-covered downstream.

  2. Researchers test the chain

    Web, mobile, FHIR APIs, EHR seams, telehealth video, and partner-vendor surfaces tested as one graph.

  3. Report your file accepts

    Findings tagged to HIPAA, GDPR, ISO 27001. Auditor evidence in one file.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

What does the healthtech scope cover?
Web app, mobile (iOS and Android), FHIR APIs, SMART on FHIR, EHR integrations (Epic, Cerner, Allscripts), telehealth video, and partner-vendor surfaces.
Do you handle PHI test data?
We work with anonymised or synthetic PHI by default. Real PHI only under a BAA and on-prem if required.
Will you sign a BAA?
Yes. Standard BAA on the second call.
HIPAA plus GDPR coverage?
Yes. Findings tagged to HIPAA Security Rule and GDPR Article 32 for dual-jurisdiction healthtech.
Medical device touch?
Yes when in scope. FDA pre-market cybersecurity submission and IEC 62304 review available as a separate engagement.

Ready to test the PHI graph end to end?

20-minute scoping call with the lead healthtech pentester. EHR, FHIR, telehealth, and the auditor-shaped report.

CREST · CERT-In · SOC 2 · ISO 27001