Question 1

Can you test in production, or do you need a staging clone?

Accepted Answer

Both work. Production testing is supported with synthetic test accounts, coordinated rate limits, written rules-of-engagement, and pre-agreed exclusions for any blast-radius operations - we don't run anything destructive in production without explicit, documented approval. A staging clone is faster and lower-risk if it mirrors production configuration (IAM, KMS, network policies, IoT brokers, secrets management). We help you decide on the scoping call based on your risk tolerance and timeline.

Question 2

How do you handle PHI during testing?

Accepted Answer

We don't exfiltrate real PHI. Testing uses synthetic accounts and synthetic patient data wherever possible, and we structure scope to avoid PHI exposure entirely. When we identify a PHI exposure path during testing, we document the path and prove the issue with metadata only - record counts, schema, access scope - never with real patient records. We sign a Business Associate Agreement on request before any engagement, and our handling of any incidentally-observed PHI is documented in the BAA.

Question 3

Do you need IAM access to our cloud?

Accepted Answer

Read-only IAM access in the environment under test dramatically accelerates the engagement and produces deeper, more accurate findings - especially around tenant isolation, KMS policy, and IoT broker permissions. We can run a fully external black-box test, but expect to find less in the same window because we'll spend time inferring configuration that read-only access would simply tell us. We provide a least-privilege policy template you can attach to a temporary testing role.

Question 4

Will this satisfy HIPAA Security Rule requirements?

Accepted Answer

We test the HIPAA Security Rule technical safeguards directly: access control (164.312(a)), audit controls (164.312(b)), integrity (164.312(c)), person or entity authentication (164.312(d)), and transmission security (164.312(e)). Findings are produced with evidence aligned to each safeguard. HIPAA isn't a certification, so there's no pass / fail certificate - but our report is the substantive evidence your compliance team needs for the required risk analysis under 164.308(a)(1)(ii)(A) and feeds directly into SOC 2 and HITRUST work.

Question 5

What about FDA cybersecurity expectations?

Accepted Answer

Connected devices with cloud back-ends fall squarely inside the FDA's February 2026 final premarket cybersecurity guidance, and reviewers regularly cite cloud back-end testing gaps in deficiency letters. Our findings are mapped to your AAMI TIR57 threat model, the device-side controls they correspond to, and the eSTAR submission section that references them - so reviewers see end-to-end coverage from the radio on the device through the cloud control plane to the data store.

Question 6

Do you cover IoT Core / IoT Hub specifically?

Accepted Answer

Yes. Device certificate provisioning and lifecycle, MQTT topic ACLs, message routing rules, rule-engine logic, device shadow / device twin authorization, and the cloud-to-device command path are all in scope when the device channel is included. This is consistently one of the highest-yield areas in connected-device back-ends - misconfigured topic ACLs and over-scoped device policies show up frequently and tend to produce cross-tenant exposure when they do.

Question 7

Do you sign a Business Associate Agreement (BAA)?

Accepted Answer

Yes. We sign a BAA before any engagement that may incidentally expose us to PHI, and we treat the BAA as a precondition to kickoff rather than a closing-week paperwork item. Our standard BAA covers the testing engagement, any artifacts generated, and the post-engagement retention period. In practice we structure the work to avoid PHI exposure entirely - the BAA is the safety net, not the operating model.

Question 8

Can the report serve as SOC 2 evidence?

Accepted Answer

Yes. We map findings to SOC 2 Common Criteria - CC6 (logical and physical access), CC7 (system operations), and CC8 (change management) - so your auditor can use the report as direct evidence in their next examination without rework. The report format is one we've delivered to Big Four and mid-market CPA firms for SOC 2 Type II audits, and we'll coordinate directly with your auditor on evidence-format questions if helpful.

Question 9

What clouds do you cover?

Accepted Answer

AWS, Azure, and GCP - including the IoT services on each (IoT Core, IoT Hub, IoT Core for GCP), the managed identity systems (IAM, Entra ID, Cloud IAM), KMS equivalents (KMS, Key Vault, Cloud KMS), serverless platforms (Lambda, Functions, Cloud Functions and Cloud Run), and the data stores commonly used for PHI (RDS / Aurora, Cosmos DB, Cloud SQL, DynamoDB, Firestore). We can assess one cloud or all three in a single coordinated engagement.

Question 10

How does this fit alongside your firmware or BLE/RF service?

Accepted Answer

Most connected medical devices benefit from all three. PHI Cloud Backend covers what happens after data leaves the device - APIs, IAM, tenant isolation, KMS, IoT brokers, and the data store. BLE / RF covers the wireless transport. Firmware covers the device itself, including secure boot and the OTA update path. Bundle for full coverage with a single threat model and consolidated report, or scope à la carte to fill a specific gap or close a deficiency cited in an Additional Information letter.

PHI Cloud Pen Testing. Built for Connected Devices.

Why Generic Cloud Pen Tests Miss the Real Risk

Device Channel Untouched

No Tenant-Isolation Testing

HIPAA Mapped, Not Tested

What We Actually Test

Device-to-Cloud Channel

API & Authorization

Tenant Isolation & PHI

Cloud Infrastructure & Secrets

Engagement Methodology

Scoping & Architecture Review

Reconnaissance & Configuration Review

Active Testing

FDA + HIPAA + SOC 2 Reporting

Reviewer-ready deliverables in one engagement

Pricing Guidance

Single-Cloud, Single-Tenant

Multi-Tenant SaaS

Multi-Cloud / Enterprise

What drives the price

Related Premarket services

Full-Service FDA Premarket Cybersecurity

FDA Deficiency Response

FDA-Compliant SBOM Services

PHI Cloud Backend Pen Testing FAQs

Backed by MedTech leaders.

PHI Cloud Backend Penetration Testing - scoped, fixed-fee, FDA-ready.