HIPAA
What it is — The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes requirements for protecting sensitive patient health information. The HIPAA Security Rule specifies administrative, physical, and technical safeguards that covered entities and business associates must implement to protect electronic protected health information (ePHI).
Appsec relevance — The Security Rule’s Technical Safeguards (§164.312) require access controls, integrity controls, and transmission security for systems handling ePHI. Web applications and APIs that process or display patient data fall directly under these requirements.
How Detectify Supports HIPAA
| Requirement | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| §164.312(a)(1) | Implement technical policies and procedures to restrict access to ePHI to authorized persons and processes | Detects authentication and authorization vulnerabilities that could lead to unauthorized ePHI access: CWE-287 , CWE-306 , CWE-284 | Full (detection) |
| §164.312(c)(1) | Implement policies and procedures to protect ePHI from improper alteration or destruction | Detects injection vulnerabilities that could compromise data integrity: CWE-89 , CWE-94 , CWE-78 | Full (detection) |
| §164.312(e)(1) | Implement technical security measures to guard against unauthorized access to ePHI during electronic transmission | Detects cleartext transmission and weak encryption: CWE-319 , CWE-326 , CWE-312 | Full (detection) |
| §164.308(a)(8) | Perform periodic technical and nontechnical evaluations of security measures | Scheduled scanning with historical reports provides ongoing evaluation evidence | Full |
| §164.308(a)(1)(ii)(A) | Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI | CVSS scoring and vulnerability reports support risk analysis processes | Partial |
Important distinction: Detectify detects vulnerabilities that could lead to HIPAA violations — it does not implement the safeguards themselves. For example, Detectify can detect that a web application has an authentication bypass (which would violate §164.312(a)(1)), but it does not provide the access control mechanism.
What Detectify Covers
Detectify supports HIPAA compliance by identifying technical vulnerabilities in web applications and APIs that handle ePHI. It provides evidence of regular security evaluation (§164.308(a)(8)) through scheduled scans and historical reporting. Vulnerability detection maps directly to the Technical Safeguards for access control, integrity, and transmission security.
HIPAA’s Administrative Safeguards (workforce training, security management processes, contingency planning) and Physical Safeguards (facility access, workstation controls) are entirely outside DAST scope.
Complementary Tools You May Need
- Access management / IAM — For implementing §164.312(a)(1) access controls
- Encryption solutions — For implementing §164.312(e)(1) transmission security
- Audit logging — For §164.312(b) audit controls
- Endpoint protection — For workstation and device security
- Security awareness training — For administrative safeguard compliance
- Backup and disaster recovery — For contingency plan requirements