intrus.io
This sector deep-dive is currently available in Portuguese only. Full English translation is in progress.
Ver em Português →
/compliance · HIPAA (US)

Pentest HIPAA: Security Rule, Breach Notification

Pentest HIPAA Security Rule (Administrative, Physical, Technical Safeguards) + Breach Notification. Para Business Associate (BA) servindo US healthcare.

Cotar pentest HIPAASee vectors
90% manual · 10% automated
OSCP · CISSP · CRTO · GPEN
BR · PT · IT · ES · MA · US · AU
OWASP · MITRE · PTES · NIST

Why now

The real pain

Healthtech brasileira vendendo para US healthcare é Business Associate (BA) sob HIPAA. BAA assinada, OCR audit ativo, multa de até US$ 1.9M/violação. Pentest HIPAA é parte essencial do BAA — sem ele, cliente cancela contrato.

Standard and reference

HIPAA Privacy RuleHIPAA Security Rule (45 CFR §164.308-316)HITECH ActOCR Audit Protocol

/attack-surface

HIPAA (US)

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

01

Technical Safeguards (§164.312)

Access control, audit controls, integrity, transmission security.

02

Administrative Safeguards (§164.308)

Risk analysis, workforce training, contingency, incident procedures.

03

Physical Safeguards (§164.310)

Facility access, workstation security, device controls.

04

ePHI handling

Criptografia em repouso e trânsito, segregação de PHI, minimização.

05

Breach Notification (§164.404-408)

Runbook de detecção, análise de breach, notificação OCR + indivíduos.

06

Business Associate Agreement

Validação técnica das obrigações do BAA, due diligence de sub-BA.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

Healthtech brasileira com clientes US, sob BAA com hospitais/payers/PBM americanos.

Caixa Econômica Federal
Banco BMG
iFood
ArcelorMittal
Multibanco
Polícia Federal
Fórmula 1
OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

DL

Douglas Lopes

Founder · CEO · intrus.io

/crivo · integrity program

87%

of pentester candidates fail our Crivo screening

Do you know who's getting access to your environment?

NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.

  • In-depth criminal, fiscal and professional verification
  • Psychometric assessment and risk profile
  • Practical integrity testing with controlled scenarios
  • Fixed team — non-rotating, no 'stranger every engagement'
Learn about the Crivo programcrivo.intrus.io

/faq

FAQ — HIPAA (US)

Vocês entendem OCR audit protocol?

Sim. Conhecemos os 169 control areas e mapeamos pentest para os controles avaliados em audit.

Faixa de preço?

Healthtech pequena com ePHI: R$ 40-80k. Plataforma multi-tenant servindo payers: R$ 80-200k.

/contact

Cotar pentest HIPAA

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to usSee other sectors

Other sectors we cover

/lgpd

LGPD

/iso-27001

ISO 27001:2022

/pci-dss

PCI-DSS 4.0

/bacen-4893

BACEN Res. 4.893

/open-finance

Open Finance / FAPI

/pix

PIX