HIPAA Compliance Built from Automated Evidence

Risk analysis generated from infrastructure scans, not spreadsheets. 100% of technical safeguards covered by automated checks. Assessment-ready in weeks.

Book a HIPAA Assessment NPRM 2026 Changes Guide

45 CFR 164

NIST SP 800-30

292 Prowler Checks

OSCAL Native

hipaa-scan-pipeline

$ run-scan.sh --framework hipaa --profile client-prod

[1/9] Using pre-configured profile: client-prod

[2/9] Running Prowler (HIPAA Security Rule)...

✓ 292 findings across 32 requirements

[4/9] OSCAL emitter (full enrichment: CCI + POA&M)...

✓ assessment-results.json + component-definition.json

[5/9] Running HIPAA Risk Analysis (NIST SP 800-30)...

(including exposure observations from 6 sources)

✓ risk-register.json + risk-matrix.md + treatment-plan.md

3 CRITICAL risks (credential exposure, unencrypted transmission)

[8/9] Rendering HIPAA deliverable report...

✓ Pipeline complete. HIPAA evidence package signed.

// automated coverage

100% Technical Safeguard Coverage

Every HIPAA technical safeguard requirement has at least one automated check. Most have three or more.

HIPAA requirements with automated checks

100% coverage

292

Prowler checks mapped to HIPAA safeguards

upstream automated

grc-eng extension checks

18 exposure + 12 SOCFortress

Exposure evidence sources

breach intel + attack surface

// the pipeline

From Scan to Risk Register in 30 Minutes

Infrastructure scanning, risk analysis, and evidence collection in a single automated pipeline.

Scan & Assess

Prowler scans your AWS environment against 292 HIPAA-mapped checks covering §164.312 technical safeguards. Exposure evidence collected from breach databases, Shodan, and certificate transparency logs.

Analyze Risk

NIST SP 800-30 Rev 1 risk assessment maps every finding to threat sources, calculates likelihood and impact, and produces a prioritized risk register with 30/60/90-day treatment timelines.

Deliver Evidence

OSCAL assessment results, risk register, treatment plan, and POA&M exported as machine-readable JSON and human-readable markdown. SHA256-signed evidence chain from scan to deliverable.

// nist sp 800-30

Automated Risk Analysis

Your §164.308(a)(1)(ii)(A) risk analysis generated from real infrastructure data, not a questionnaire.

risk-matrix.md

High

Mod

Low

Likelihood (rows) × Impact (columns) = Risk Level
Source: NIST SP 800-30 Rev 1, Table I-2

Evidence-Based Risk Scoring

✓Prowler findings mapped to NIST SP 800-30 threat sources and events
✓Exposure observations (HIBP, Shodan, certificate transparency) feed likelihood scores
✓Impact assessed per §164.308 risk analysis requirements: confidentiality, integrity, availability of ePHI
✓Risk register with 30/60/90-day remediation timelines and responsible parties
✓Treatment plan options: mitigate, transfer, accept, avoid — with cost estimates
✓Credential exposure findings from breach databases auto-escalated to CRITICAL

// exposure evidence

Attack Surface Meets Compliance

External exposure evidence mapped to HIPAA safeguard requirements. Breach intelligence informs your risk register, not a separate silo.

🔒

Credential Breach Intelligence

HIBP, LeakCheck, and Dehashed feeds detect exposed credentials tied to your domain. Auto-escalated to CRITICAL risk with 30-day remediation timeline.

§164.312(d) · Person or Entity Authentication

🌐

Attack Surface Discovery

Shodan and certificate transparency logs map exposed services and TLS certificates. Unencrypted ePHI transmission paths flagged automatically.

§164.312(e)(1) · Transmission Security

🛡

DNS & Impersonation Monitoring

DNSTwist identifies typosquat and homoglyph domains targeting your brand. Catches phishing infrastructure before credential harvesting begins.

§164.308(a)(5)(ii)(B) · Protection from Malicious Software

📈

EPSS + KEV Prioritization

FIRST EPSS probability scores and CISA KEV catalog focus remediation on vulnerabilities with known exploitation. Risk-ranked, not CVSS-ranked.

§164.308(a)(1)(ii)(A) · Risk Analysis

🏥

HC3 Threat Advisories

HHS Health Sector Cybersecurity Coordination Center (HC3) advisories mapped to your HIPAA safeguard gaps. Healthcare-specific threat intelligence.

§164.308(a)(1)(ii)(B) · Risk Management

📑

Compliance-Mapped Evidence

Every exposure finding maps to a specific HIPAA CFR citation with automated check IDs. No manual cross-referencing needed.

§164.312(b) · Audit Controls

// ephi boundary

ePHI Boundary Monitoring

SOCFortress CoPilot deployed inside your environment for continuous ePHI access monitoring, incident response, and audit evidence.

Your ePHI Boundary

AWS VPC RDS (ePHI) S3 Buckets EC2 Instances

SOCFortress CoPilot (in-boundary)

Wazuh SIEM Graylog Velociraptor DFIR-IRIS Shuffle SOAR

CoPilot never leaves your boundary — ePHI telemetry stays in your infrastructure

Detect. Respond. Prove.

✓12 SOCFortress evidence checks across 7 HIPAA requirements (§164.312(b), §164.308(a)(6), §164.308(a)(1))
✓Wazuh agents on every ePHI-touching host for real-time file integrity monitoring
✓Graylog log aggregation satisfying §164.312(b) audit control requirements
✓DFIR-IRIS incident case management for §164.308(a)(6) security incident procedures
✓Velociraptor endpoint forensics for breach investigation evidence preservation
✓Evidence collected via CoPilot API — machine-readable, timestamped, signed

// dual framework

CMMC + HIPAA in One Pipeline

Defense contractors handling both CUI and ePHI get a single scan that covers both frameworks. One pipeline, two compliance stories.

CMMC Level 2

NIST SP 800-171 Rev 2

110 controls, 320 assessment objectives. SPRS scoring, C3PAO-ready OSCAL artifacts, and SSP-as-code pipeline.

392 Prowler checks

24 grc-eng extensions

12 SOCFortress checks

HIPAA Security Rule

45 CFR 164 Technical Safeguards

32 requirements, NIST SP 800-30 risk analysis, exposure evidence, and ePHI boundary monitoring.

292 Prowler checks

18 grc-eng extensions

12 SOCFortress checks


        $ run-scan.sh --framework dual --profile client-prod

// hipaa engagements

Start Where You Are

Every engagement begins with scanning your actual infrastructure. No questionnaires.

Phase 1

HIPAA Ready

$8-15k

2-week delivery

Prowler scan of AWS against HIPAA safeguards
NIST SP 800-30 risk analysis with risk register
Exposure evidence from 6 external sources
Gap analysis with remediation priority
Executive summary deliverable

Get Started

Phase 2

HIPAA Pipeline

$35-60k

90-day delivery

Everything in HIPAA Ready
SOCFortress CoPilot deployment (in-boundary)
OSCAL evidence package with provenance
Continuous risk register updates
CI/CD gates for infrastructure changes
NPRM readiness assessment

Book a Demo

Ongoing

Managed HIPAA

$3-5k/mo

Continuous

Continuous Prowler + exposure monitoring
SOCFortress CoPilot managed operations
Monthly risk register refresh
Evidence freshness SLA
Quarterly risk trend reports

Learn More

// before the call

Scope it yourself first

These tools answer the questions we'll ask in the first 10 minutes. Come prepared and we'll spend the call on architecture, not discovery.

HIPAA Readiness Quiz

8 questions, 3 minutes →

Breach Cost Calculator

Quantify your risk exposure →

2026 HIPAA Changes

What's new in the NPRM →

Healthcare Threat Intel

Live KEV + ransomware data →

Engagement Pricing

What we charge →

// get started

Book a HIPAA Assessment

See your risk register in 30 minutes.

We scan your AWS environment against HIPAA technical safeguards, run exposure evidence collection, and generate a NIST SP 800-30 risk register. No questionnaires, no NDAs required for the initial scan.

✉

admin@cobaltsystems.io

🕑

30-min live scan with risk analysis

🔒

Read-only IAM role, no write access

We recommend this tool to help improve and optimize your compliance posture. Our approach is designed to enhance security outcomes and strengthen your organization against evolving threats.