What HIPAA asks of the external attack surface
The HIPAA Security Rule is famously infrastructure-agnostic. It does not prescribe firewalls, TLS versions, or cipher suites. It prescribes outcomes: that electronic Protected Health Information (ePHI) is kept confidential, is protected from tampering, and that the workforce is monitored and disciplined when they interact with it unsafely.
Several of those outcome obligations are directly evaluable from outside the perimeter without any access to covered systems. Three in particular are the ones auditors actually bring up:
- §164.308(a)(1)(ii)(A) — Risk analysis. You must have performed a reasonable analysis of the risks to ePHI, including external threats. An external exposure report is the most direct form of evidence that you have looked at what an attacker sees.
- §164.308(a)(1)(ii)(B) — Risk management. Reasonable and appropriate measures to reduce risks to a reasonable and appropriate level. Missing DMARC, an exposed admin panel, or an end-of-life CMS on a marketing subdomain are all defensible findings here.
- §164.312(e)(1) — Transmission security. Implementing technical security measures to guard against unauthorised access to ePHI that is being transmitted over an electronic communications network. Wildcard certificates, mixed-content subdomains, and exposed HTTP-only endpoints show up under this control.
What Dhara checks, mapped to §164
| Control | Passive check | Example finding |
|---|---|---|
| §164.308(a)(1)(ii)(A) | Full external asset inventory from DNS + CT logs | Forgotten staging-app subdomain still resolving |
| §164.308(a)(1)(ii)(B) | Tech fingerprint against known end-of-life software | WordPress 5.9.x on marketing subdomain |
| §164.308(a)(5)(ii)(A) | DMARC / SPF / DKIM record posture | No _dmarc record published |
| §164.308(a)(5)(ii)(B) | Mail-server banner + public blocklist posture | Legacy mail gateway on a relay blocklist |
| §164.312(a)(1) | Identification of unauthenticated admin panels | grafana-staging returning 200 on /login |
| §164.312(b) | Historical URL review for audit-sensitive endpoints | Archived URLs referencing consent artefacts |
| §164.312(e)(1) | Certificate hygiene, wildcard sprawl, expired chains | Wildcard TLS covering retired hostnames |
| §164.312(e)(2)(ii) | Object-storage listing + directory listing on CDNs | ListBucketResult readable on assets subdomain |
Sample HIPAA finding
Wildcard TLS certificate covers retired staging hostnames
Certificate Transparency logs show a wildcard leaf issued 2025-09-12 that still covers subdomains resolving to parked IPs. Past pre-production hosts re-resolved to attacker-controllable CNAMEs.
How to use this report in a HIPAA audit
The report is evidence under §164.308(a)(1)(ii)(A) that an external risk analysis was performed. Each finding is self-contained: control reference, asset identifier, evidence statement, and recommended corrective action. Most compliance reviewers will accept it as part of a broader security assessment package; a few will want it attached to your most recent internal risk assessment. Dhara reports are timestamped and include a verification URL so an auditor can confirm the report was not edited post-delivery.