For Healthcare Organizations
Healthcare Penetration Testing Program
HIPAA-aligned penetration testing and vulnerability scanning, scoped for healthcare and priced annually so compliance planning does not need a fresh scoping cycle every year.
Why Now
Built around the proposed HIPAA Security Rule update
The proposed update to the HIPAA Security Rule formalizes annual penetration testing and semi-annual vulnerability scanning as expected technical safeguards for regulated entities. This program is built specifically to meet that cadence in a way that fits how small and mid-size healthcare organizations actually operate.
Scope guard rails, deliverables, and pricing are set in advance, so audit-readiness work fits into a known annual rhythm instead of a per-engagement scoping exercise.
Why TrustFoundry
Built for healthcare, audit, and compliance
Compliance and audit readiness are first-class outputs of the program, not paperwork bolted on at the end.
HIPAA audit trail by design
Every assessment produces timestamped changelogs, peer review records, consultant assignments, and evidence chains automatically. When an auditor asks who tested what, when, and how, the answer lives in the platform, not in someone's inbox.
Real-time findings visibility
Critical issues are documented as they are discovered, not held until the final report. Your team can start remediating during the engagement, not after, and download Finding Notification PDFs to brief leadership before delivery.
Risk acceptance for legacy and medical devices
Healthcare environments have findings that cannot be remediated immediately (certified medical devices, legacy clinical systems, vendor-locked applications). Formally accept risk on specific findings with documented reason and responsible party. Auditable, defensible, ready for compliance review.
Your own client portal
Log in with your corporate identity (Okta, Azure AD, or generic OIDC), see findings as they are approved, request retests, export to JIRA, and download reports on your schedule. No back-and-forth with the consultant for status.
The Team
People who pentest every day, not occasionally
Platform features matter, but the people doing the testing matter more. TrustFoundry is a dedicated pentest practice with a senior team that has been doing this for over a decade.
Pentest-focused since 2014
TrustFoundry is a dedicated penetration testing firm. Over a decade of focused offensive security work means consistent methodology, deep technical depth, and a team that does this work every day.
Senior consultants on every finding
Every finding is reviewed by a senior consultant before delivery. The people who shaped our methodology are the same people approving your report. AI quality review is a second pass on top, not a substitute. Team holds OSCP, OSWE, BSCP, CRTP, CRTO, and GIAC certifications across the practice.
High customer satisfaction
A high percentage of our customers renew their annual program with us. The consultant scoping your renewal usually knows your environment from last cycle, which keeps work grounded and back-and-forth minimal.
What's Included
Four annual deliverables in every tier
The same compliance cadence runs across every tier. Tiers differ in scope guard rails and the depth of effort behind each deliverable, not in what is delivered.
External Vulnerability Scan
2 per year
Semi-annual commercial scanner sweep of the external pentest scope. Authenticated remediation guidance, no manual exploitation.
Internal Vulnerability Scan
2 per year
Semi-annual commercial scanner sweep of the internal pentest scope, run through a deployed scan host or VPN session.
External Penetration Test
1 per year
Manual external attack simulation against in-scope live IPs and web presence. Unauthenticated testing of marketing sites and external portals is included. Remediation testing on confirmed findings.
Internal Penetration Test
1 per year
Annual internal network and Active Directory attack simulation, including lateral movement, privilege escalation, and AD hardening review.
Unauthenticated external web applications (marketing sites, basic portals) are covered by the external penetration test. Deeper testing of authenticated or PHI-handling web applications is available as a sized add-on below. Most facilities will not need it.
Three Tiers
Pick the size that matches your environment
Each tier ships with the same four annual deliverables and a published annual flat price. Scope outside the guard rails is handled with add-ons, not a re-quote.
Small
Under 50 employees
Target Customer
Single site, cloud-hosted EHR, simple web presence (marketing site or light portal). Independent practices, dental groups, small specialty clinics.
Scope Guard Rails
- Up to 5 external IPs
- Up to 50 internal IPs, single AD domain, single site
Medium
50 to 250 employees
Target Customer
One to three sites, custom or self-hosted clinical apps, moderate external footprint. Regional medical groups, mid-size specialty practices, ambulatory networks.
Scope Guard Rails
- Up to 25 external IPs
- Up to 250 internal IPs, single AD domain, up to 3 subnets
Large
250+ employees
Target Customer
Multi-site or regional, complex environment, self-hosted clinical apps with PHI workflows. Regional hospitals, large medical groups, multi-specialty networks.
Scope Guard Rails
- Up to 100 external IPs
- Up to 1,000 internal IPs, single AD forest, multiple sites
Program pricing reflects standardized scope and channel partner delivery. Custom-scoped engagements are priced separately.
Add-Ons
Optional extensions, priced per unit
Available within any tier. Pricing is published so you can budget without a custom proposal.
| Add-On | Price |
|---|---|
| Additional external IP (above tier limit) | $100 / IP / scan event |
| Web application pentest, simple (e.g., appointment request form, basic info portal) | $6,750 / year |
| Web application pentest, moderate (e.g., patient scheduling, secure messaging, 1 user role) | $8,550 / year |
| Web application pentest, complex (e.g., patient portal with PHI, telehealth, EHR-connected) | $12,375 / year |
| Phishing campaign (email, 1 round) | $2,500 / year |
| Wireless testing (single site) | $3,500 / year |
| Additional internal site | $5,000 / year |
| Medical device testing | Custom quote |
Web app size is determined by the amount of authenticated functionality, number of user roles, and complexity of workflows. Unauthenticated testing of sites is covered by the external pentest. We confirm sizing during scoping, so you only pay for what your application actually needs. Apps outside these sizes are quoted separately.
Delivered with channel partners
This program is delivered in partnership with select MSPs and channel partners that serve healthcare organizations across the region. TrustFoundry consultants perform the testing and authoring. Your partner stays in the loop for remediation context and reporting handoff.
Every report passes our quality gate
Every finding is reviewed by a senior consultant and run through our AI quality gate before delivery. Reports include a full audit trail in our Hexecution platform, useful for HIPAA documentation and for proving the work to auditors.
Ready to scope your healthcare program?
Tell us your size, sites, and AD footprint. We will confirm the right tier, walk through guard rails and any likely add-ons, and put a clean annual quote in front of you.