We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Healthcare SaaS Platform case study hero background

Healthcare SaaS Platform: CERT-In Empanelled VAPT: 40 Vulnerabilities Remediated, Safe-to-Host Certified

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Healthcare SaaS Platform: CERT-In Empanelled VAPT: 40 Vulnerabilities Remediated, Safe-to-Host Certified

Healthcare SaaS platforms carry patient data and integrate with hospital systems, so security testing is both a client demand and an empanelment gate. This engagement covers a full CERT-In-aligned VAPT across web, API, and mobile surfaces, remediation of roughly 40 vulnerabilities including criticals, and issuance of the safe-to-host certificate the platform needed.

Client Overview

The client is a healthcare SaaS platform serving hospitals and diagnostic chains across India with patient management, reporting, and telehealth modules. The driver was twofold: hospital clients demanding independent security testing, and a government empanelment process requiring a safe-to-host certificate from a CERT-In empanelled auditor. Scope covered the web application, public and partner APIs, Android and iOS apps, and the cloud hosting environment.

  • Industry: Healthcare SaaS (hospital and diagnostics clients)
  • Region: India
  • Regulatory driver: Government empanelment requiring CERT-In safe-to-host certification; client security mandates
  • Timeline: ~8 weeks, first test to safe-to-host certificate
  • CyberSigma team: VAPT lead, web/API testers, mobile security tester, remediation advisor

Challenge

The platform had never undergone independent penetration testing. Patient data flowed through APIs and mobile apps built at startup speed, and the empanelment deadline meant every finding — including criticals — had to be found, fixed, and re-verified inside a compressed window.

  • No prior independent VAPT across any surface of the platform
  • Patient health data flowing through untested public and partner APIs
  • Mobile apps storing session artefacts with unverified protections
  • Fixed empanelment deadline requiring a clean re-test and certificate
  • Small engineering team needing precise, developer-ready remediation guidance

Objectives

  • Execute CERT-In-aligned VAPT across web, API, mobile, and hosting infrastructure
  • Identify and remediate all critical and high-severity vulnerabilities
  • Provide developer-ready remediation guidance to a small engineering team
  • Re-test to a clean result and issue the safe-to-host certificate
  • Leave behind a repeatable annual testing cadence

Our Approach

1. Scoping & Threat Profiling

Assets, data flows, and integration points were mapped, and test cases were profiled around healthcare-specific risks: patient-record access control, report tampering, and cross-tenant data exposure.

2. Web & API Penetration Testing

Authenticated grey-box testing of the web application and APIs against OWASP Top 10 and API Top 10, with emphasis on authorisation flaws across patient, doctor, and admin roles.

3. Mobile Application Testing

Android and iOS apps were tested for insecure storage, transport weaknesses, and reverse-engineering exposure, including runtime analysis of session and token handling.

4. Remediation Support & Re-Test

Findings were delivered as developer-ready tickets with fix guidance; criticals were re-tested on fix, and a full verification round confirmed closure of approximately 40 vulnerabilities.

5. Certification & Cadence

On the clean re-test, the CERT-In-aligned report and safe-to-host certificate were issued for the empanelment submission, and a recurring annual testing calendar was agreed.

Solution

  • CERT-In-aligned VAPT across web, public/partner APIs, Android and iOS apps, and hosting
  • Healthcare-focused test profiling: patient-record authorisation, tenant isolation, report integrity
  • Developer-ready findings with fix guidance sized for a small engineering team
  • Full re-test cycle verifying closure of ~40 vulnerabilities including all criticals
  • Safe-to-host certificate issued for the government empanelment submission

Results

  • Approximately 40 vulnerabilities remediated, including all critical and high findings
  • Critical authorisation flaws in patient-data APIs closed and re-verified
  • Safe-to-host certificate issued within the ~8-week empanelment window
  • Empanelment submission accepted with security testing requirements met
  • Annual CERT-In-aligned testing cadence now in place
CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205