Healthcare is under continuous cyber siege
Healthcare is the most-breached industry in the United States. In 2024, over 276 million individual records were breached across reported HIPAA incidents. Change Healthcare alone affected an estimated 190 million Americans. Yale New Haven Health affected 5.5 million patients. Healthcare breaches cost an average of $9.8 million per incident, the highest of any industry, and take longer to identify and contain than any other vertical.
Ransomware operators target healthcare because the operational impact is immediate and severe: surgeries canceled, prescriptions delayed, records inaccessible. Paying the ransom is often the fastest path to restoring operations. That economic reality has made healthcare a top-priority target for LockBit, Cl0p, BlackBasta, ALPHV/BlackCat, and their successors.
Who we work with
Hospitals and health systems
Independent community hospitals, multi-hospital systems, academic medical centers. Our engagements cover clinical network segmentation, medical device security, patient portal penetration testing, and OCR audit preparation.
Physician practices and medical groups
Primary care, specialty, and multi-specialty practices. From 5-physician groups to 500+ provider networks. Risk analyses, EHR integration security review, patient portal testing, and HIPAA policy development.
Federally Qualified Health Centers (FQHCs)
FQHCs face HIPAA plus federal grant compliance requirements. Our assessments produce documentation suitable for both HRSA and OCR scrutiny.
Specialty providers
Dental, vision, behavioral health, urgent care, dermatology, and other specialty networks. Multi-location security architecture, cloud-hosted PM/EHR, patient engagement platform security.
Telehealth platforms
Video consultation, asynchronous messaging, remote patient monitoring, digital therapeutics. Our engagements cover HIPAA Business Associate compliance, encryption validation, and the unique attack surface of always-on consumer-facing video infrastructure.
EHR vendors and practice management SaaS
Business Associate engagements covering multi-tenant isolation, API security for EHR integrations (FHIR, HL7v2), and the full Trust Services Criteria for SOC 2 Type II + HIPAA alignment.
Health-tech startups
Early-stage health-tech companies preparing for their first enterprise customer, their first Business Associate Agreement, or their first SOC 2 / HITRUST audit.
Medical device manufacturers
Connected medical devices face FDA cybersecurity requirements, MDR/IVDR in Europe, and the same HIPAA requirements when they handle PHI. We assess device firmware, backend platforms, and clinical integration.
Services for healthcare clients
- HIPAA Security Assessment. Risk analysis, technical safeguards, penetration test, breach readiness
- SOC 2 Readiness. For health-tech SaaS adding enterprise customers
- PCI DSS 4.0 Penetration Testing. For healthcare organizations handling patient payments
- Incident response and post-breach assessments. OCR-ready documentation
The healthcare threat landscape in 2026
Ransomware operators specifically targeting healthcare
Healthcare-focused ransomware actors include Cl0p, BlackBasta, ALPHV/BlackCat successors, and Scattered Spider affiliates. Attack patterns: phishing or external remote service exploitation for initial access, lateral movement via valid account abuse, data exfiltration over encrypted tunnels, then encryption. Double-extortion (encrypt + threaten to leak) is now standard.
Supply chain attacks
Change Healthcare, MOVEit, and Kaseya showed that compromise of a single healthcare vendor can cascade across thousands of providers. Our engagements include third-party risk assessment as a first-class component, not an afterthought.
Insider threat and misconfigurations
Misconfigured patient portals, exposed S3 buckets with medical imaging, and over-permissioned EHR access remain the most common root causes in smaller-scale breaches. Cheaper to prevent than any of the above.
Medical device insecurity
Medical devices, especially older ones, often run unsupported operating systems on flat clinical networks. Segmentation and compensating controls matter more than patching (because patching is often impossible without FDA recertification).
What OCR looks for
When OCR opens an investigation, they request specific documents. A healthcare organization that cannot produce these has already failed the audit:
- Current risk analysis (under 12 months, covers all ePHI systems)
- Written security policies and procedures
- Workforce security training records
- Business Associate Agreements with every vendor handling PHI
- Access control records showing least-privilege
- Audit logs from systems handling PHI, with evidence of periodic review
- Incident response plan with documented exercise results
- Encryption documentation or risk-based justification for any unencrypted ePHI
- Contingency plan (disaster recovery, data backup, emergency mode operation)
- Penetration test report (increasingly expected, soon mandatory)