Healthcare environments are a sought-after target for malicious hackers
due to the high black-market value of health information.

Meditology’s certified ethical hackers and penetration testers will uncover vulnerabilities and misconfigurations that could potentially allow ransomware and hackers access to your critical information and systems.

Our deep understanding of healthcare environments allows us to conduct testing in a safe and effective manner to protect patient safety.

Our healthcare experience allows us to map technical testing results back to HIPAA, HITRUST, PCI-DSS, and NIST frameworks and requirements.

Meditology has extensive experience performing technical testing for large-scale health insurance companies, Business Associates, and leading healthcare providers across the country. We have also served as advisors to ONC/HHS on ethical hacking and medical device security.

Many health care organizations hire third-party firms to provide ethical hacking services. This stems from a shortage of qualified ethical hackers, along with a desire for an independent review of access controls.

While there are many different vendors that offer ethical hacking testing services, the quality and types of services vary. Review our tips below to make sure you identify the best security partner for your penetration testing needs.

Use the following tips to help select the right security partner for your ethical hacking testing:

The Vendor

Does the vendor have experience conducting penetration testing? Is health care the primary focus? What are the vendor’s qualifications in the industry? Is the vendor familiar with health care environments and their unique issues, health care applications, and medical equipment? Ask the vendor for references from healthcare organizations.

Regulatory Landscape

How well does the vendor know the health care regulatory landscape (e.g., HITRUST, NIST, SOC 2, HIPAA, HITECH, Omnibus, and PCI)?

Comprehensive Test

Does the vendor conduct a comprehensive test that includes many types of scenarios?

Testing and Assessments

Is the vendor only conducting a vulnerability scanning assessment? A penetration test consists of more than just identifying vulnerabilities. A thorough test also involves exploiting the vulnerabilities and manually testing for security holes that an automated tool might not be able to discover.

Security Weaknesses

Does the vendor try to gain access as well as identify an organization’s security weaknesses through the penetration tests?

Staff and Testing Methodologies

Is the vendor’s staff professional and do they know how to communicate the technical results through reporting and presentation to senior leadership and other non-technical stakeholders? Does the vendor have proven, tested tools and testing methodologies?

Minimize Impact

Can the vendor know how to minimize the potential for impacting patient safety and critical systems, including common health care applications, during vulnerability scanning activities?


Does the vendor provide clear, prescriptive, and tailored recommendations and offer advice to help an organization address and correct the weaknesses discovered during the testing?


  • Ranked #1 Best in KLAS for Cybersecurity Advisory Services in 2019 and 2020
  • HIPAA expert witness firm for OCR
  • Experienced CISOs and Privacy Officers
  • Dedicated to healthcare
  • Hundreds of clients coast to coast
  • Advisors to ONC / HHS

Dartmouth-Hitchcock has partnered with Meditology Services since 2012.

Over that period of time, they have helped with multiple projects, both large and small, repeatedly delivering as promised. We have come to trust their insights regarding regulatory issues and their vast experience of the healthcare industry when developing security policies, strategies and budgets. We regularly use their ethical hacking skills to test the effectiveness of our security program.  In summary, they have earned our trust and become an integral part of our security toolset.

Peter Merrill
Director of Information Systems, Dartmouth-Hitchcock Medical Center

Onsite Health Diagnostics has relied on Meditology Services for HIPAA security risk assessment and penetration testing since 2014.

Meditology’s information security services have provided OHD’s customers and business partners with confidence in the seriousness with which we take the our responsibility to protecting their highly sensitive data. We have been more than pleased with Meditology’s professionalism, diligence and responsiveness, and we look forward to working with them for years to come. Since our founding, OHD has been dedicated to exceptional client service, providing stress-free employee health screenings and workforce health data analytics. Our clients, who include Fortune 500 corporations, hospital systems, financial institutions, state & local governments and small businesses alike, rely on OHD’s commitment to privacy and security when it comes to their employee health data.

Kyle Alexander
CEO, Onsite Health Diagnostics