Cybersecurity for Healthcare

What this service does

Hospitals, biotech, pharma, medical device, HealthTech SaaS. HIPAA risk assessment, NIST 800-66, OCR-defensible BAA program, 21 CFR Part 11, FDA premarket cybersecurity, HITRUST, ransomware-ready MDR. Healthcare averages 7% of IT on security yet $7.42M average breach cost (IBM 2025) , the largest spend-to-loss gap of any regulated industry.

Senior practitioner on every engagement. Quinnlan Varcoe (Founder and CEO) oversees every engagement and reviews every case before findings leave the practice; Jose Santana, Lead Technical Consultant, oversees the practitioner team executing the technical work under her methodology. NDA-protected. No black-box delivery, no off-shoring, no junior staff bait-and-switch.

What we deliver

• HIPAA Risk Assessment. NIST 800-66 aligned. OCR-defensible. BAA program management. Continuous evidence collection mapped to the HIPAA Security Rule + Breach Notification Rule.
• Ransomware-Ready MDR. 24/7 SOC monitoring tuned for healthcare attack patterns: ransomware lateral movement, EHR pivot points, Citrix/VDI attacks, BEC against finance. Containment authority pre-negotiated.
• Medical Device + IoMT Security. Network segmentation for legacy medical devices. ECRI/MedWatch advisory monitoring. Penetration testing for connected devices that can't be patched.
• FDA Premarket Cybersecurity. 510(k) and PMA cybersecurity submissions. SBOM generation. Threat modeling per FDA 2025 guidance. Postmarket surveillance program.
• 21 CFR Part 11 + GxP Compliance. Electronic records, electronic signatures, audit trails for clinical and manufacturing systems. Validation documentation maintained continuously.
• HITRUST CSF Certification. i1, r2 readiness and assessment coordination. Crosswalks to HIPAA, SOC 2, NIST CSF, ISO 27001 , same evidence answers all five.
• Clinical AI + LLM Governance. AI risk assessment for clinical decision support, ambient documentation, patient-facing chatbots. ISO 42001 + NIST AI RMF + FDA AI/ML guidance crosswalked.
• Insurance + Breach Counsel Liaison. Carrier-coordinated underwriting (Coalition, Beazley, Chubb, Resilience). Breach counsel network on retainer. IR retainer accepted by all major healthcare cyber carriers.

How an engagement begins

1. Confidential consultation. NDA-protected. 30 to 60 minutes. Direct conversation with Quinn, not a sales rep.
2. Scoped engagement. Written proposal with defined deliverables and pricing. Hourly with milestone caps for open scopes; fixed fee where the work is well-defined.
3. Delivery and reporting. Court-admissible methodology where evidence matters. Written deliverables you can hand to counsel, the board, or your auditor.

Why this work runs through Witness

Witness is the parent brand for the practice. The same firm operates a B2B sister brand at varcoe.ai for buyers whose procurement workflow expects a B2B website and a B2B sales motion. Same legal entity (Blueberry Security Global, Inc., Delaware C-corp). Same Quinn. Same delivery team. The split is by audience, not by capability.