Healthcare security
HIPAA-aligned security monitoring, for the apps that touch patient data.
Continuous, production-safe monitoring across patient portals, telehealth platforms, and clinician tools. Audit-ready evidence mapped to HIPAA Technical Safeguards.
The healthcare reality
The constraints every healthcare team works under.
PHI
Patient data protection
Patient portals, telehealth platforms, and clinician tools handle PHI across the public surface. A single misconfigured header or DNS record can expose enough metadata to trigger an OCR investigation.
HIPAA
Continuous compliance evidence
HIPAA Technical Safeguards (§164.312) expect ongoing transmission security, audit controls, and integrity monitoring. One-off scans before a deadline don't satisfy auditors looking for a record of continuous coverage.
Uptime
Care continuity
Security testing has to be production-safe. Healthcare apps can't tolerate aggressive probes, mid-procedure outages, or data mutation. Every Barrion default check is fully passive and read-only.
How Barrion fits
Continuous monitoring, audit-ready by default.
Coverage
HIPAA-aligned web checks
TLS, security headers, cookies, CORS, DNS, email auth, and 30+ additional checks mapped to §164.312 (a)(1) Access Control, (c)(1) Integrity, (e)(1) Transmission Security.
Evidence
Audit-ready PDFs and CSVs
Every scan produces a timestamped report with severity-ranked findings and remediation status. Hand it to your auditor or attach it to an OCR response without scrambling.
Alerts
Real-time drift detection
Continuous monitoring catches the moment a TLS cert expires, a header is dropped, or a third-party patient-portal vendor pushes a regression. Alerts route to Slack, Teams, or email.
Safe
Production-safe by default
Default scans never submit forms, never touch authenticated routes, and never alter data. Safe to run against patient-facing production.
FAQ
Healthcare security, answered.
Do we need to sign a BAA to use Barrion?
Default Barrion scans only touch publicly observable web surfaces (TLS, headers, cookies, CORS, DNS, email auth, common DAST checks) and do not handle, store, or transmit PHI, so a BAA is generally not required for the default configuration. If you opt into authenticated scans against endpoints that handle PHI, we can sign a BAA on Business and Enterprise plans before enabling those scans.
How does this fit with our 42 CFR Part 2 or HITECH obligations?
Barrion provides continuous evidence on the technical safeguards layer of your web tier, which is one piece of the broader HITECH and 42 CFR Part 2 picture. Date-stamped scan exports map to HIPAA Security Rule controls and can be attached to your compliance evidence package; they do not replace the administrative, physical, or workforce-training controls those frameworks also require. Most healthcare teams pair Barrion with a GRC tool for the non-technical surface.
Can Barrion scan our FHIR or HL7 endpoints?
Yes for the HTTP transport layer: Barrion will check TLS, security headers, authentication surfaces, CORS, and other web-tier hygiene on FHIR REST endpoints. It does not parse FHIR resources or HL7 message payloads, we observe transport and headers, not the clinical data inside the response.
What about telehealth video endpoints?
We monitor the signalling and HTTP control surface around telehealth platforms, the web app, auth endpoints, session setup APIs, and TURN/STUN signalling endpoints exposed over HTTPS. We do not probe WebRTC media streams or attempt to join live calls; media-plane testing belongs to specialised tooling, not a production-safe DAST.
Run a HIPAA-aligned scan.
Free first scan, no setup, no credit card. Upgrade for continuous monitoring and audit-ready PDF + CSV exports.