Real manual exploitation for healthcare organizations and clinical laboratories that need a defensible technical evaluation — not a Nessus dump dressed up with a cover sheet.
Most "HIPAA pentests" on the market are vulnerability scans dressed up with a logo. They satisfy a checkbox on paper, then fail when an auditor asks what was actually exploited, what PHI was reachable, or whether segmentation between clinical and administrative networks held under attack.
Brickell Technologies takes a different approach. Every engagement is run manually by a GIAC-credentialed operator (GXPN for advanced exploitation, GMOB for mobile), scoped around the data that matters — protected health information — and reported in a format your compliance officer, your HHS auditor, your insurance carrier, and your IT team can all use.
This is the same operator perspective that runs internal red team campaigns at Fortune 500 enterprises, applied at SMB price points to a market historically served by scan-and-report shops.
A scanner finds a list of CVEs. It does not prove whether an attacker could reach PHI. It does not validate that your segmentation between front-of-house and clinical networks holds. It does not show whether your EHR's session handling can be hijacked, or whether your patient portal leaks records through a parameter manipulation flaw.
OCR investigators have grown more aggressive at evaluating actual technical evaluation activities under §164.308(a)(8). Cyber insurance carriers increasingly require evidence of exploitation, not just identification, before binding or renewing coverage. A scan-only deliverable creates audit risk on its own — and it tells an attacker nothing about what your real exposure looks like.
Vulnerabilities are proven by exploitation, not just identified by scan. Where PHI is reachable, we prove the path. Where segmentation is supposed to hold, we test it under attack.
We test your environment with the data path in mind. Where can ePHI flow? Where could it leak? Where would an attacker pivot to reach it? Findings are framed in terms of patient data exposure, not abstract CVE numbers.
Two reports: an executive summary written for your compliance officer, board, or HHS auditor; and a technical findings document your IT team can act on directly. No translation required.
Every finding cross-referenced against §164.308 (Administrative), §164.310 (Physical), and §164.312 (Technical) Safeguards. Methodology aligned with OWASP, PTES, and NIST SP 800-115.
Business Associate Agreement signed before any engagement. We test paths, not patient records — synthetic and sandboxed accounts where possible. No real ePHI lives in deliverables.
Once you remediate, we retest the original findings and issue a formal attestation letter — a defensible artifact for your auditor, insurer, or board. Most scan-only vendors do not include this.
Deliverables built for the people who actually have to read the report.
Board- and auditor-ready report with risk posture, remediation timeline, and HIPAA Security Rule compliance mapping. The artifact you hand to leadership, your compliance officer, or your insurance broker.
Full technical detail on each finding: reproduction steps, exploitation path, affected systems, business impact framed in terms of PHI exposure, and specific remediation guidance.
A control-by-control table showing which §164.308 / §164.310 / §164.312 safeguards each finding maps to. Hands directly to a HIPAA auditor without translation.
After your team remediates, we retest the original findings and issue a signed attestation letter confirming what was resolved. Defensible documentation for your audit, insurer, or contract review.
The questions every healthcare buyer asks before signing.
A Business Associate Agreement is signed before scoping artifacts change hands. We have standard language ready, or we sign yours. Not a negotiation; not optional.
We test paths, not patient records. Synthetic accounts and sandboxed test data are used wherever possible. When real-data exposure must be demonstrated, scope and consent are explicit and gated.
No real ePHI in any report, screenshot, or artifact. Findings are illustrated with redacted evidence and anonymized identifiers.
All engagement artifacts move over encrypted channels. Engagement materials are purged 90 days after engagement close — or sooner on request.
From first call to attestation letter — typically 4 to 6 weeks.
30 minutes, no commitment. We map your data flows, identify what's in scope, and align on what a defensible engagement looks like for your environment and your auditor's expectations.
Business Associate Agreement signed. Rules of engagement, scope, timeline, and pricing locked in writing before any technical work begins.
Passive and authenticated discovery. We build a complete picture of your attack surface — internal and external — before active testing begins.
2 to 4 week window. Daily comms, no surprises. Critical findings reported immediately, not held until the final report. High-risk testing scheduled with explicit go/no-go gates.
Executive summary, technical findings document, HIPAA Security Rule mapping, and remediation roadmap. Walked through with your team in a debrief call — not just delivered as a PDF over email.
Once remediation is complete, we retest the original findings and issue a signed attestation letter. Final artifact for your auditor, insurer, or board.
10-page PDF: the same scoping questionnaire we walk every healthcare client through before quoting. Free, no fluff, signed and stamped.
Most HIPAA pentests at Brickell run $7,500 to $25,000, scoped to environment size — number of IPs, applications, cloud accounts, mobile apps, and whether segmentation or social engineering is in scope.
The free scoping call locks in scope and price before any commitment. No surprise overages, no padded line items.
Yes. A BAA is signed before any engagement begins. We treat this as table stakes for healthcare work and have standard language ready, or we can sign yours.
No. Active exploitation is performed in coordinated windows with explicit go/no-go gates. Anything with operational risk is scheduled with your team and gated behind sign-off and a rollback plan.
They satisfy different requirements. An SRA is the foundational risk analysis required by §164.308(a)(1)(ii)(A). A penetration test is the technical evaluation activity required by §164.308(a)(8). Most healthcare organizations need both. We deliver both — standalone or bundled — with the SRA's threat catalog grounded in the same operator perspective that drives the pentest.
Yes. Reports are written specifically to be defensible against §164.308(a)(8) evaluation requirements and structured so they can be handed directly to a HIPAA auditor, OCR investigator, or insurance broker without translation.
Annually at minimum. Additionally after any significant infrastructure change (new EHR, cloud migration, M&A), before audits or insurance renewals, and following any major new contract that requires evidence of an evaluation activity.
We test the network they sit on and the management interfaces they expose to that network. We do not test FDA-regulated firmware (a different specialization). For device-level firmware testing we will refer you to a partner firm.
Free 30-minute scoping call. No commitment. We'll map your environment, define the right scope, and tell you exactly what an engagement would cost.