Boutique offensive security practice for hospitals, clinics, clinical and testing laboratories, telehealth platforms, healthtech companies, and business associates — with healthcare-specific scoping, operator-led engagements, and a BAA on every contract.
Generic cybersecurity firms can do good work for an accounting firm or a SaaS startup. Healthcare is a different problem.
The data is regulated under a specific federal rule (HIPAA), a specific enforcement body (HHS OCR), and a specific evidentiary standard (the §164.308 administrative requirements that demand written risk analysis and periodic technical evaluation). Breach costs in healthcare run roughly double the cross-industry average, and ransomware operators have specifically pivoted to healthcare because the operational pressure forces faster ransom decisions. Cyber insurance carriers have become more demanding about evidence of technical evaluation activity before renewal. State regulators are layering additional requirements on top of HIPAA.
None of this is hypothetical — it's the actual operating environment a healthcare CIO, compliance officer, or practice administrator is making cybersecurity decisions inside of. Engagements scoped without that context produce checkbox compliance and audit risk. Engagements scoped with that context produce defensible risk reduction.
The Brickell healthcare practice is built around that distinction.
Healthcare consistently ranks as the most-breached industry and the most-expensive sector to recover in. The last several years of public reporting from HHS, IBM Cost of a Data Breach studies, and the FBI Healthcare Sector advisories all point to the same pattern: healthcare is targeted because the operational pressure of clinical care forces faster ransom decisions, and because the data is high-value on resale and identity-fraud markets.
Defending against this requires more than "we run scans periodically." It requires actual adversary simulation, current threat intelligence, and a risk-management posture that's documented, defensible, and continuously updated. That's the bar Brickell engagements are scoped against — not the minimum required to pass an annual checkbox.
Different healthcare segments have different risk profiles and audit drivers. Engagements are scoped accordingly.
Multi-site environments with deep integration between EHR, billing, lab, imaging, and pharmacy. Pentest scoping focuses on segmentation between clinical and administrative networks, EHR session handling, and the vendor BAA chain.
LIS-centric environments where lab results, patient identifiers, and ordering provider data all flow through tightly-integrated systems. Particular focus on result-delivery channels (HL7 / FHIR), portal access, and data-export risk.
Smaller environments where the right scope is usually a focused HIPAA pentest plus an SRA, rather than enterprise-scale red team work. OCR has specifically targeted small practices in recent enforcement, so the audit-defensibility bar matters even at modest practice size.
Web and mobile apps handling patient-clinician sessions, video, messaging, and prescription workflows. Scoping prioritizes session handling, end-to-end encryption claims, mobile attack surface, and the integration boundary with the patient's EHR.
SaaS, AI/ML, devices, and analytics platforms operating as business associates. Buyer-side due diligence increasingly demands a recent third-party pentest report; we scope and deliver to that bar specifically.
Billing companies, RCM platforms, transcription, claims processing, and other vendors handling PHI on behalf of covered entities. Your downstream covered-entity contracts require evidence of evaluation activity — we produce the artifact.
Four engagement types, scoped specifically for HIPAA-regulated environments. Most healthcare clients run a combination.
Manual exploitation scoped around PHI reachability. Auditor-ready reports mapped to the HIPAA Security Rule, with retest and attestation letter.
Learn MoreOperator-informed risk analysis grounded in real attacker TTPs. The foundational SRA artifact every covered entity and BA is required to maintain.
Learn MoreCSPM for AWS, Azure, and GCP environments storing or processing ePHI. Compliance scanning against HIPAA, NIST 800-66, CIS Benchmarks, and SOC 2 with remediation guidance.
Learn MoreCrowdStrike Falcon-powered endpoint protection for healthcare environments. Continuous platform monitoring with expert triage on confirmed incidents.
Learn MoreA HIPAA Penetration Test to satisfy §164.308(a)(8) and produce the auditor-defensible technical evaluation artifact. A HIPAA Security Risk Analysis to satisfy §164.308(a)(1)(ii)(A) with the pentest's confirmed findings flowing into the SRA's vulnerability catalog. Bundled, the combined engagement runs $12,000 to $35,000 — one set of stakeholder interviews, one BAA, one project, two strong artifacts.
Cloud security and managed AV are added when scope or CrowdStrike rollout warrants them. The free scoping call sorts what you actually need.
Three things healthcare clients consistently get from Brickell that they don't get from larger vendors or scan-only shops.
No handoff to a junior, no offshore queue, no sales engineer who wasn't on the technical work. The same GIAC-credentialed operator who scoped your engagement is on every step from recon through retest.
Threat catalogs, exploit chains, and risk ratings calibrated against what attackers actually do — not template libraries. The same operator perspective that runs internal red team work at Fortune 500 enterprises, applied at SMB-and-mid-market price points.
Every artifact is structured for defensibility against OCR, HIPAA auditor, and cyber insurance review. The compliance officer or board chair can hand it directly to their reviewer without translation.
Engagements run 4 to 6 weeks — not 4 to 6 months. Direct comms with the operator throughout. No PMO ticket queue. If something needs to move, it moves.
10-page PDF. The 30-minute questionnaire we walk every healthcare client through before quoting. Free, no fluff.
Most healthcare orgs that have worked with both report the same pattern: large vendors deliver consistent process but generic findings; boutique firms deliver depth, accountability, and engagement velocity. For HIPAA pentests in particular, boutique works better because the same operator runs every step from scoping to retest — there's no handoff to a junior, no offshore queue, and no scope creep from a sales engineer who wasn't on the technical work.
Yes — for every healthcare engagement, including SRA-only work where ePHI may be discussed in interviews. We have standard language ready or we sign yours. This is table stakes; we never start technical work without it.
Small practices are precisely the orgs OCR has been targeting in recent enforcement actions — small dental and specialty practices have produced some of the highest per-record fines in healthcare. The HIPAA Security Rule applies regardless of size, and breach economics scale linearly with patient count. The right question is not "are we big enough," it's "what's the right scope of engagement for our size," which is exactly what the free scoping call is for.
Partially, and not enough to satisfy HIPAA. Your EHR vendor is responsible for the EHR platform; you remain responsible for everything around it — workstations, network, identity, integrations, the patient portal layer, internal data exports, devices accessing the EHR, and BAA compliance with downstream vendors. The boundary of responsibility is laid out in your BAA with the EHR vendor — and almost always covers far less than buyers assume.
Hospitals and health systems, clinical and testing laboratories, medical practices and specialty clinics, telehealth platforms, healthtech companies, business associates handling PHI on behalf of covered entities, and research institutions. We have particular focus on clinical labs and HIPAA-regulated SMBs in South Florida.
Free 30-minute scoping call. We'll map your environment, recommend the right engagement combination for your size and audit drivers, and tell you exactly what it would cost.