Skip to main content

Cybersecurity for healthcare that holds up under OCR audit.

Z Cyber is your cybersecurity operating partner for healthcare. Our security advisors run your HIPAA program on the Glance platform, manage your Business Associate Agreements, answer the security questionnaires your prospects send you, and remediate the risks we uncover. Not just inventory them.

glance.ztekcyber.com
Meridian Health Network/ HIPAA Overview
Synced 3m ago
HIPAA Readiness
78/100
▲ +4 WoW
BAA Coverage
47/51
4 in review
Insurance Readiness
82/100
Grade B ▲
Framework Coverage
HIPAA Security Rule
82%
405(d) HICP
71%
HITRUST CSF
65%
NIST CSF 2.0
74%
42 CFR Part 2
91%
SOC 2
58%
Recent Activity
Executive Security Advisor
  • Annual SRA filed to audit repository · 1h ago
  • BAA renewed: EHR vendor · 4h ago
  • Risk added: scribe AI vendor pending review
  • IS questionnaire returned · 142 controls
Connected to your healthcare data
EHRHIELab systemsPharmacyIdentityEDREmail securityKnowBe4

WHAT WE HEAR

The pressure healthcare security teams are under.

The federal breach record makes the trend unmistakable. See every U.S. healthcare breach reported since 2009.

Our last HIPAA risk analysis was three years ago, and our cyber insurance just denied renewal.

How Z Cyber answers it

An annual, evidence-backed risk analysis mapped to 45 CFR § 164.308 that holds up with OCR and your carrier within 30 days.

We have dozens of BAAs and no idea what those vendors are actually doing with ePHI.

How Z Cyber answers it

BAA inventory, terms review, vendor risk scoring, and continuous monitoring, all inside Glance.

Our risk register is a vulnerability scan in a PDF. The board can't read it.

How Z Cyber answers it

Risk register framed in business assets, EHR uptime, lab and pharmacy systems, revenue management, in language the COO and CFO actually use.

GLANCE FOR HEALTHCARE

Everything you need to run a defensible healthcare cybersecurity program.

Glance is the platform Z Cyber operates on your behalf. Whether you have a CISO already, are between security leaders, or do not have one yet, we handle the work and your team sees the same single source of truth.

HIPAA Security Risk Assessment

Annual risk analysis mapped to 45 CFR § 164.308(a)(1)(ii)(A). Defensible under OCR audit, structured to satisfy your cyber insurance carrier, and ready to answer your largest customer's security review.

Take the assessment

HHS 405(d) Recognized Security Practices

We stand up the HHS 405(d) Health Industry Cybersecurity Practices across all ten practice areas. Because 405(d) is a recognized security practice under the HITECH Act, OCR must weigh it as a mitigating factor when it investigates a breach, which can lower penalties and shorten an audit.

Cyber insurance readiness

A live readiness score across the controls carriers actually underwrite, MFA, EDR, backups, incident response, email security, privileged access, and more, each with an evidence-confidence rating. We hand your broker a carrier-grade report instead of a scramble at renewal.

See the readiness model

Business Associate Agreement management

Every BAA inventoried, terms reviewed, vendor risk scored, and re-reviewed annually. EHR vendors, billing services, AI vendors, cloud infrastructure, MSPs, all tracked in one place inside Glance.

IS questionnaire response

Vendor security questionnaires from your prospects, partners, payors, and auditors handled by Glance's evidence library and our team. Consistent, audit-grade answers returned within 48 hours. Included in every healthcare engagement.

Medical device and IoMT security

Your connected medical devices governed under HICP Practice 9: a biomedical asset and risk inventory, segmentation away from clinical and corporate networks, SBOM and patch commitments at procurement, and monitoring against FDA and CISA device advisories.

Risk register to remediation

Risk register framed in business assets and patient-impact language. Prioritized mitigation plans with cost estimates. Evidence captured as the work progresses, ready for the next audit without a scramble.

OCR and Joint Commission audit readiness

A breach-notification playbook with the OCR clock built in, plus exception-to-policy and risk-acceptance repositories auditors actually want to see. Audit becomes a read-only access grant, not a two-week fire drill across IT, compliance, and clinical teams.

Clinical AI governance

NIST AI Risk Management Framework crosswalked to the HIPAA Security Rule, applied to diagnostic AI, scribe AI, clinical decision support, and AI scheduling. BAAs vetted, model risk profiled, drift monitored.

THE PLATFORM

See the platform we run your program on. Multi-tenant architecture, a healthcare-specific risk library, and the evidence engine behind every IS questionnaire.

See Glance →
glance.ztekcyber.com
Meridian Health Network/ Findings
Synced 3m ago
Open Findings
38
Critical
4
High
9
Quick Wins
12
RiskFinding & mapped controlStatus
  • CRITePHI stored unencrypted on legacy scheduling DBHIPAA §164.312(a)(2)(iv)Remediating
  • CRITNo BAA on file for AI scribe vendorHIPAA §164.308(b)(1)Open
  • HIGHMFA not enforced for EHR administratorsHIPAA §164.312(d)Remediating
  • HIGHAudit logging disabled on pharmacy moduleHIPAA §164.312(b)Open
  • MEDRisk analysis older than twelve monthsHIPAA §164.308(a)(1)Resolved
  • LOWWorkstation auto-lock exceeds 15 minutesHIPAA §164.310(b)Resolved
Ordered by risk and effort. Quick wins separated from program-level work.

HIPAA READINESS

One score, defensible under audit

A live HIPAA Security Rule readiness score your board and an OCR investigator can both follow.

FRAMEWORK COVERAGE

Answer once, map everywhere

HIPAA, HITRUST, NIST CSF and SOC 2 satisfied from a single healthcare-specific control set.

EVIDENCE ENGINE

Captured as the work happens

SRAs, BAAs and IS questionnaires logged automatically, so the next audit is already documented.

ONE CONTROL SET, EVERY FRAMEWORK

Answer once. Map to every framework healthcare reports to.

THE GLANCE CONTROL SET

One evidence base, maintained continuously.

Update a control once and every framework it maps to updates with it. No re-answering the same question for each auditor, insurer, and enterprise customer that asks.

  • HIPAA Security Rule

    45 CFR § 164.308 – § 164.316

  • HIPAA Breach Notification

    45 CFR § 164.400 – § 164.414

  • HHS 405(d) HICP

    Health Industry Cybersecurity Practices

  • HITRUST CSF

    Common Security Framework

  • NIST CSF 2.0

    Govern, Identify, Protect, Detect, Respond, Recover

  • NIST 800-53

    Security and Privacy Controls

  • SOC 2

    Trust Services Criteria

  • 42 CFR Part 2

    Substance Use Disorder Records

  • Joint Commission

    IM and EC standards

RISK TO REMEDIATION

We close the gaps we find. Not just catalog them.

Most compliance tools stop at a findings list. Z Cyber runs the full loop, from the risk we surface to the evidence your next audit needs.

  1. 1

    Identify

    Risks surfaced from your environment, not a generic checklist

  2. 2

    Prioritize

    Ranked by business impact and patient-safety exposure

  3. 3

    Remediate

    Our security advisors drive the fix, with you

  4. 4

    Evidence

    Proof captured as the work happens

  5. 5

    Audit-ready

    OCR, Joint Commission, and carriers get one answer

HOW WE PARTNER

Operating partner, not a deck and a deliverable.

Z Cyber embeds a forward-deployed security team into your organization, runs your program every day on Glance, and stays accountable to outcomes your COO and CFO can read.

  1. 01

    Scope

    Thirty to sixty minutes. We size the engagement to your environment, your near-term pressure points, OCR readiness, an insurance renewal, an enterprise procurement review, and the cadence your team can absorb.

  2. 02

    Implement

    Weeks one to four. We stand up your Glance tenant, run your HIPAA risk analysis, inventory your Business Associate Agreements, populate your evidence library, and configure your risk register in business-asset language.

  3. 03

    Operate

    Continuous. We answer incoming security questionnaires, drive remediation across your risk register, maintain your audit-ready evidence, and keep your policy and exception repositories current.

  4. 04

    Improve

    Quarterly. We brief your board in healthcare-board language, recalibrate priorities, and produce the attestation packets your insurer, auditors, and enterprise customers actually accept.

FREQUENTLY ASKED

Questions worth answering up front.

How is your SRA different from the free HHS tool?

The HHS SRA tool is a desktop questionnaire designed for self-administration. Z Cyber's SRA is conducted by experienced healthcare security practitioners, includes evidence review, and produces a written report cited to specific HIPAA Security Rule provisions. The deliverable holds up under OCR audit, satisfies cyber insurance underwriting, and answers customer security reviews, three things a self-completed HHS tool typically does not.

What are “recognized security practices” and how do they change an OCR investigation?

Under the HITECH Act, as amended in January 2021, OCR is required to consider whether you had recognized security practices in place for the prior twelve months when it sets penalties, scopes an audit, or resolves an enforcement action. The HHS 405(d) Health Industry Cybersecurity Practices are one of the named recognized practices. Z Cyber stands those practices up and documents them inside Glance, so if a breach is ever investigated you can demonstrate the mitigating factor instead of arguing it after the fact.

We are a business associate, not a covered entity. Do we still need this?

Yes. The HIPAA Security Rule applies to business associates the same way it applies to covered entities, and every BAA you sign puts the obligation back into your contract. Business associates are also a frequent path for OCR audit attention because they aggregate ePHI across many covered entities, raising the impact of any single failure.

Can you handle the security questionnaires our prospects send us?

Yes. This is included in every healthcare engagement. We build an evidence library inside Glance from your environment, policies, and prior attestations, then answer each incoming questionnaire with consistent, audit-grade responses within 48 hours. Your sales motion does not stall while compliance answers questions.

What does an engagement look like for a small practice versus a health system?

The scope changes, the structure does not. A small practice may need quarterly check-ins, an annual SRA, BAA tracking, and policy refreshes. A health system may need weekly coordination across IT, compliance, and clinical stakeholders, board-level reporting, multi-facility scope, and continuous audit prep. Same platform, same team, different rhythm.

Do you support HITRUST CSF certification?

Yes. We map your existing HIPAA controls into the HITRUST Common Security Framework, identify the gap, and run the implementation work to close it. We coordinate with HITRUST-authorized assessors for the formal certification audit and produce the evidence package on your behalf.

How does Z Cyber engage with us?

We are a cybersecurity operating partner, not a consulting firm. You do not get a deck and a report. You get a forward-deployed team that runs your program every day on the Glance platform, with one accountable point of contact and a quarterly board-level review.

Find your HIPAA gaps in five minutes. Close them with Z Cyber.

Twelve questions across the four HIPAA Security Rule safeguard families. The PDF arrives in your inbox. A Z Cyber advisor walks it through with you within one business day.