// FREE RESOURCE

The HIPAA Pentest Scoping Checklist

The 30-minute questionnaire we walk every healthcare client through before quoting an engagement. Built for compliance officers, IT leaders, and security teams at HIPAA-regulated organizations.

Most healthcare orgs scope pentests poorly — not because their team is inexperienced, but because no one ever hands them the right questions until they're already three quotes deep. This checklist is the document we wish more clients walked into a scoping call already holding.

What's inside

• ▸ Engagement driver framework — map why you're testing to what scope makes sense
• ▸ PHI data inventory — EHR, LIS, PACS, billing, telehealth, research
• ▸ Asset inventory worksheet — networks, apps, APIs, cloud, endpoints
• ▸ Framework mapping — HIPAA, HITRUST, SOC 2, NIST, PCI when relevant
• ▸ Engagement logistics — BAA stance, blackout dates, escalation paths
• ▸ What your auditor will ask — the 10 questions OCR / HIPAA / cyber-insurance reviewers actually run through
• ▸ HIPAA Security Rule quick-reference — pentest-relevant citations, with what each section actually requires

10 pages. PDF. Signed, stamped, no marketing fluff.