HIPAA Compliance Built from Automated Evidence

Risk analysis generated from infrastructure scans, not spreadsheets. 100% of technical safeguards covered by automated checks. Assessment-ready in weeks.

Book a HIPAA Assessment NPRM 2026 Changes Guide
45 CFR 164
NIST SP 800-30
292 Prowler Checks
OSCAL Native
hipaa-scan-pipeline
$ run-scan.sh --framework hipaa --profile client-prod
[1/9] Using pre-configured profile: client-prod
[2/9] Running Prowler (HIPAA Security Rule)...
✓ 292 findings across 32 requirements
[4/9] OSCAL emitter (full enrichment: CCI + POA&M)...
✓ assessment-results.json + component-definition.json
[5/9] Running HIPAA Risk Analysis (NIST SP 800-30)...
(including exposure observations from 6 sources)
✓ risk-register.json + risk-matrix.md + treatment-plan.md
3 CRITICAL risks (credential exposure, unencrypted transmission)
[8/9] Rendering HIPAA deliverable report...
✓ Pipeline complete. HIPAA evidence package signed.
$
// automated coverage

100% Technical Safeguard Coverage

Every HIPAA technical safeguard requirement has at least one automated check. Most have three or more.

32
HIPAA requirements with automated checks
100% coverage
292
Prowler checks mapped to HIPAA safeguards
upstream automated
30
grc-eng extension checks
18 exposure + 12 SOCFortress
6
Exposure evidence sources
breach intel + attack surface
// the pipeline

From Scan to Risk Register in 30 Minutes

Infrastructure scanning, risk analysis, and evidence collection in a single automated pipeline.

01

Scan & Assess

Prowler scans your AWS environment against 292 HIPAA-mapped checks covering §164.312 technical safeguards. Exposure evidence collected from breach databases, Shodan, and certificate transparency logs.

02

Analyze Risk

NIST SP 800-30 Rev 1 risk assessment maps every finding to threat sources, calculates likelihood and impact, and produces a prioritized risk register with 30/60/90-day treatment timelines.

03

Deliver Evidence

OSCAL assessment results, risk register, treatment plan, and POA&M exported as machine-readable JSON and human-readable markdown. SHA256-signed evidence chain from scan to deliverable.

// nist sp 800-30

Automated Risk Analysis

Your §164.308(a)(1)(ii)(A) risk analysis generated from real infrastructure data, not a questionnaire.

risk-matrix.md
VL
Low
Mod
High
VH
VH
VL
L
M
H
VH
High
VL
L
M
H
H
Mod
VL
L
M
M
H
Low
VL
VL
L
L
M
VL
VL
VL
VL
L
L
Likelihood (rows) × Impact (columns) = Risk Level
Source: NIST SP 800-30 Rev 1, Table I-2

Evidence-Based Risk Scoring

  • Prowler findings mapped to NIST SP 800-30 threat sources and events
  • Exposure observations (HIBP, Shodan, certificate transparency) feed likelihood scores
  • Impact assessed per §164.308 risk analysis requirements: confidentiality, integrity, availability of ePHI
  • Risk register with 30/60/90-day remediation timelines and responsible parties
  • Treatment plan options: mitigate, transfer, accept, avoid — with cost estimates
  • Credential exposure findings from breach databases auto-escalated to CRITICAL
// exposure evidence

Attack Surface Meets Compliance

External exposure evidence mapped to HIPAA safeguard requirements. Breach intelligence informs your risk register, not a separate silo.

🔒

Credential Breach Intelligence

HIBP, LeakCheck, and Dehashed feeds detect exposed credentials tied to your domain. Auto-escalated to CRITICAL risk with 30-day remediation timeline.

§164.312(d) · Person or Entity Authentication
🌐

Attack Surface Discovery

Shodan and certificate transparency logs map exposed services and TLS certificates. Unencrypted ePHI transmission paths flagged automatically.

§164.312(e)(1) · Transmission Security
🛡

DNS & Impersonation Monitoring

DNSTwist identifies typosquat and homoglyph domains targeting your brand. Catches phishing infrastructure before credential harvesting begins.

§164.308(a)(5)(ii)(B) · Protection from Malicious Software
📈

EPSS + KEV Prioritization

FIRST EPSS probability scores and CISA KEV catalog focus remediation on vulnerabilities with known exploitation. Risk-ranked, not CVSS-ranked.

§164.308(a)(1)(ii)(A) · Risk Analysis
🏥

HC3 Threat Advisories

HHS Health Sector Cybersecurity Coordination Center (HC3) advisories mapped to your HIPAA safeguard gaps. Healthcare-specific threat intelligence.

§164.308(a)(1)(ii)(B) · Risk Management
📑

Compliance-Mapped Evidence

Every exposure finding maps to a specific HIPAA CFR citation with automated check IDs. No manual cross-referencing needed.

§164.312(b) · Audit Controls
// ephi boundary

ePHI Boundary Monitoring

SOCFortress CoPilot deployed inside your environment for continuous ePHI access monitoring, incident response, and audit evidence.

Your ePHI Boundary
AWS VPC RDS (ePHI) S3 Buckets EC2 Instances
SOCFortress CoPilot (in-boundary)
Wazuh SIEM Graylog Velociraptor DFIR-IRIS Shuffle SOAR
CoPilot never leaves your boundary — ePHI telemetry stays in your infrastructure

Detect. Respond. Prove.

  • 12 SOCFortress evidence checks across 7 HIPAA requirements (§164.312(b), §164.308(a)(6), §164.308(a)(1))
  • Wazuh agents on every ePHI-touching host for real-time file integrity monitoring
  • Graylog log aggregation satisfying §164.312(b) audit control requirements
  • DFIR-IRIS incident case management for §164.308(a)(6) security incident procedures
  • Velociraptor endpoint forensics for breach investigation evidence preservation
  • Evidence collected via CoPilot API — machine-readable, timestamped, signed
HIPAA Security Rule NPRM: The Biggest Update in 20 Years
The proposed rule (90 Fed. Reg. 898) eliminates the addressable/required distinction. MFA, encryption, 72-hour breach notification all become mandatory. Organizations that start preparing now will be ready when the final rule drops.
Read the NPRM Analysis
Start Your HIPAA Assessment
// dual framework

CMMC + HIPAA in One Pipeline

Defense contractors handling both CUI and ePHI get a single scan that covers both frameworks. One pipeline, two compliance stories.

CMMC Level 2

NIST SP 800-171 Rev 2

110 controls, 320 assessment objectives. SPRS scoring, C3PAO-ready OSCAL artifacts, and SSP-as-code pipeline.

392 Prowler checks
24 grc-eng extensions
12 SOCFortress checks
HIPAA Security Rule

45 CFR 164 Technical Safeguards

32 requirements, NIST SP 800-30 risk analysis, exposure evidence, and ePHI boundary monitoring.

292 Prowler checks
18 grc-eng extensions
12 SOCFortress checks
$ run-scan.sh --framework dual --profile client-prod
// hipaa engagements

Start Where You Are

Every engagement begins with scanning your actual infrastructure. No questionnaires.

Phase 1
HIPAA Ready
$8-15k
2-week delivery
  • Prowler scan of AWS against HIPAA safeguards
  • NIST SP 800-30 risk analysis with risk register
  • Exposure evidence from 6 external sources
  • Gap analysis with remediation priority
  • Executive summary deliverable
Get Started
Phase 2
HIPAA Pipeline
$35-60k
90-day delivery
  • Everything in HIPAA Ready
  • SOCFortress CoPilot deployment (in-boundary)
  • OSCAL evidence package with provenance
  • Continuous risk register updates
  • CI/CD gates for infrastructure changes
  • NPRM readiness assessment
Book a Demo
Ongoing
Managed HIPAA
$3-5k/mo
Continuous
  • Continuous Prowler + exposure monitoring
  • SOCFortress CoPilot managed operations
  • Monthly risk register refresh
  • Evidence freshness SLA
  • Quarterly risk trend reports
Learn More
// get started

Book a HIPAA Assessment

See your risk register in 30 minutes.

We scan your AWS environment against HIPAA technical safeguards, run exposure evidence collection, and generate a NIST SP 800-30 risk register. No questionnaires, no NDAs required for the initial scan.

eric@strata-networks.com
🕑
30-min live scan with risk analysis
🔒
Read-only IAM role, no write access
Need HIPAA + CMMC L2 from a single pipeline?
We'll scan your environment and show you what dual-framework evidence looks like — in 30 minutes.
Book a 30-minute scan →