Case Study

Rural Healthcare Clinic Penetration Test and Vulnerability Assessments Protect Critical Funding

Overcoming Barriers to Success

The Challenge

A rural clinic in Montana operated with one public IP and a small environment, so internal stakeholders believed their risk was minimal. At the same time, multiple third party vendors had installed and managed camera systems and network equipment, creating unknown external exposure.

The clinic lacked a clear, validated view of what was actually reachable from the internet and how that might impact patient data, operations, and funding.

Action Plan for Success

Goals

The clinic needed to satisfy state and federal grant requirements that called for ongoing vulnerability assessments and security auditing, not just a one‑time scan. They also wanted to align with broader compliance and cyber insurance expectations while keeping their environment simple and manageable.

Clear, business language reporting that both technical staff and leadership could reuse with reviewers was a priority.

Identifying Key Dependencies

Needs

To accomplish these goals, the clinic required a fully manual penetration test of its external footprint rather than a generic automated scan. They needed recurring vulnerability assessments with CVE‑based reporting to demonstrate “ongoing” security work instead of one time activity.

They also needed independent confirmation of vendor introduced risks, especially around internet facing systems and camera deployments.

The Solution

This engagement involved a rural healthcare clinic in Montana. Services included a manual external penetration test, a 90 day focused re‑test, and monthly vulnerability assessments with CVE‑based reports.

The work was structured to provide repeatable evidence of ongoing security activity, mapping directly to the HIPAA rules and grant funding language specifically around vulnerability management and security auditing.

Step-by-Step Execution

Actions We Took

We first performed a manual external penetration test, validating each issue by hand and focusing on what was truly exploitable from the internet. During this process, we identified legacy systems still using any/any firewall rules, significantly broadening the attack surface despite the small environment.

We also discovered that two vendors: a camera provider and a network support vendor had left their equipment directly exposed to the internet, including management interfaces, and confirmed the presence of Hikvision cameras in the clinic’s deployment.

After the initial test, we implemented monthly vulnerability assessments with CVE mapped reports and, at the 90 day mark, ran a focused re‑test on all remediated items to verify that issues were actually fixed.

The Results

The clinic eliminated any/any firewall rules and hardened the public IP by restricting it to only required services, tightening access controls, and improving configuration security.

Vendor managed systems were locked down, and expectations were reset so third party equipment could no longer be placed openly on the internet and left unprotected.

Hikvision cameras were identified as a potential regulatory and funding concerns tied to that brand.

The combination of the 90 day retest and ongoing vulnerability assessment gave the clinic a clear evidence package to show ongoing vulnerability assessments and security auditing, helping them preserve critical state and federal funding.