THE CLIENT
Our client is a multi-site regional healthcare network operating across four locations in the western United States, serving approximately 85,000 patients annually. The organization maintains extensive electronic protected health information across clinical, administrative, and billing systems — including an on-premises EHR platform, a cloud-hosted patient portal, and a network of connected medical devices.
For seven consecutive years, the organization had engaged the same cybersecurity vendor for its annual penetration test. Year after year, reports came back with a similar profile — a handful of medium findings, some patch recommendations, and a clean bill of health on anything critical. Leadership believed their security program was mature.
OUR APPROACH
A comprehensive penetration test across a healthcare network requires more than just checklist compliance. Our process begins with in-depth reconnaissance, identifying technical and procedural attack vectors unique to clinical environments.
We simulate real-world adversaries to test both digital and physical layers, scrutinizing everything from on-premises servers to medical devices. Every step is collaborative with your team to guarantee operational continuity while exposing vulnerabilities.
ASSESSMENT CHECKLIST
✓ External Network
✓ Internal Network
✓ Active Directory
✓ Web Applications
✓ Microsoft 365
✓ Wireless Networks
✓ Medical Devices
✓ Physical Security
OUR FINDINGS
Critical: Domain Compromise via Kerberoasting Attack Chain
A chain of Active Directory misconfigurations allowed escalation from a standard user account to Domain Administrator in under four hours. Every system on the network was accessible from this position.
Critical: Patient Portal Authentication Bypass
A broken access control vulnerability allowed unauthenticated access to patient records by manipulating a predictable URL parameter. Approximately 350,000 patient records were accessible without valid credentials.
Critical: Unpatched CVEs on Internet-Facing Systems
Three internet-facing systems ran software with publicly known critical vulnerabilities, two with published exploit code available. The oldest CVE had been documented for six years. None appeared in previous vendor reports.
High: No Segmentation Between Clinical and Administrative Networks
Network segmentation between clinical and administrative environments was non-existent. Any compromise of an administrative workstation provided direct access to systems connected to medical devices.
High: 34 Stale Domain Admin Accounts
34 Domain Administrator accounts belonging to former employees and contractors remained active and privileged. Twelve had not had passwords changed in over three years.
High: Microsoft 365 — Legacy Auth Enabled, MFA Not Enforced
Legacy authentication protocols bypassed conditional access policies entirely. MFA was not enforced for any account including administrative roles. Credential spray attacks would succeed without triggering any access controls.
REMEDIATION SUPPORT
1
Immediate Triage
Within 24 hours of critical findings, Thorium briefed the IT Director and HIPAA Security Officer to ensure interim mitigations were in place while permanent fixes were developed.
2
Prioritized Remediation Roadmap
All 47 findings organized by severity, complexity, and dependency — so the IT team could work through fixes in a logical sequence.
3
Technical Advisory Support
On-demand technical guidance throughout the 94-day remediation window — answering questions, validating approaches, and helping the team understand root causes.
4
Full Retest and Validation
A complete retest confirmed 43 of 47 findings fully remediated. The remaining four had accepted risk documentation and a defined remediation timeline.
Compliance Outcomes
Following remediation, Thorium conducted a comprehensive HIPAA Security Rule compliance audit. The engagement produced a formal risk analysis reflecting the organization's actual security posture, gap remediation documentation, and updated security policies aligned to current framework requirements.
An independent HIPAA auditor confirmed Thorium's documentation package met the requirements of a compliant risk analysis. The organization's HIPAA Security Officer described it as the first time she felt genuinely confident in the organization's compliance posture.
Annual Penetration Testing
Full-scope testing conducted annually, building on prior year knowledge to identify new vulnerabilities introduced through system changes and evolving attack techniques.
Routine Vulnerability Scanning
Scheduled internal vulnerability scans conducted monthly from Thorium's on-site assessment appliance, with prioritized findings delivered as a monthly summary.
Advisory Consulting
On-demand advisory support for the IT Director and HIPAA Security Officer — vendor reviews, policy updates, and senior-level guidance when security decisions require it.
Ad-Hoc Testing
Assessments of applications in development, new equipment, and systems on an as-needed basis.
-HIPAA Security Officer, Regional Healthcare Network
Thorium Information Security, LLC.
Hayden, Idaho, USA
(208) 352-2877
Sales@ThoriumInfosec.com