Insights

Field Notes from the
Healthcare Cyber Frontline

Practical writing from our team — what we see in the engagements, what's actually working, and where healthcare security is going next.

Featured · HIPAA

The HIPAA Risk Analysis Most Hospitals Are Doing Wrong

The Security Rule has required a risk analysis for two decades, but the Office for Civil Rights still cites it as the single most common HIPAA failure on every annual report. We unpack what auditors are actually looking for — and what most templates miss.

Ernest Karapetian· 11 min read· April 2025

Read the post

Recent Writing

Pentesting

Five Findings We See in Almost Every Patient Portal Pentest

From IDORs in messaging threads to broken FHIR scope checks — the patterns that show up in nearly every patient-portal engagement.

S. Reyes·8 min read

Compliance

SOC 2 vs HITRUST vs HIPAA: A Map for Health Tech Founders

If you've heard "we need SOC 2 to close this hospital deal," it's worth understanding what each framework actually buys you and what it costs.

M. Nguyen·13 min read

Strategy

What a Fractional CISO Actually Does in the First 90 Days

An honest week-by-week look at how a vCISO engagement gets stood up — and what to expect (and not expect) at each milestone.

Ernest Karapetian·10 min read

Threat

Why Ransomware Keeps Working in Hospital Environments

Not patch lag. Not user awareness. We break down the structural reasons hospital networks remain a target — and the controls that actually move the needle.

R. Torres·9 min read

Cloud