Pentest for Hospitals and Clinics
Protect electronic health records, hospital systems and medical devices against ransomware and patient data breaches.
Why now
The real pain
Hospitals are the #1 ransomware target in Brazil — a single attack can shut down ICUs, delay surgeries and expose records of thousands of patients, triggering fines up to BRL 50M under LGPD and class actions for collective moral damages.
Applicable regulation
/attack-surface
Vectors we test in hospitals & clinics
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Electronic health records (EHR)
Access control audit, segregation of medical roles, logs and integrity of clinical records.
Medical devices (IoMT)
Analysis of infusion pumps, monitors, imaging equipment and devices connected to the hospital network.
Patient portal
IDOR testing for unauthorized access to other patients' records, exams and reports.
Health insurance integration
Authorization APIs, TISS billing and data exchange with health insurers.
Clinical vs administrative Wi-Fi
Validation of segregation between patient network, medical equipment and back office.
Backup and recovery
Backup immutability testing and real RTO under ransomware scenarios.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Prior engagements with large hospital institutions, including Santa Casa de Misericórdia (Portugal).
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Hospitals & Clinics
Can the pentest disrupt the hospital's systems?
No. We work in mirror environments or controlled windows with agreed-upon red flags. Critical operations like ICU and surgical center are never touched without prior alignment.
Do you help with LGPD compliance?
Yes. The technical report includes a mapping of findings against LGPD articles and prioritized recommendations for the DPO/data officer.
/contact
Ready for a serious pentest in hospitals & clinics?
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.