Healthcare SaaS Platform: CERT-In Empanelled VAPT: 40 Vulnerabilities Remediated, Safe-to-Host Certified
Healthcare SaaS platforms carry patient data and integrate with hospital systems, so security testing is both a client demand and an empanelment gate. This engagement covers a full CERT-In-aligned VAPT across web, API, and mobile surfaces, remediation of roughly 40 vulnerabilities including criticals, and issuance of the safe-to-host certificate the platform needed.
Client Overview
The client is a healthcare SaaS platform serving hospitals and diagnostic chains across India with patient management, reporting, and telehealth modules. The driver was twofold: hospital clients demanding independent security testing, and a government empanelment process requiring a safe-to-host certificate from a CERT-In empanelled auditor. Scope covered the web application, public and partner APIs, Android and iOS apps, and the cloud hosting environment.
- Industry: Healthcare SaaS (hospital and diagnostics clients)
- Region: India
- Regulatory driver: Government empanelment requiring CERT-In safe-to-host certification; client security mandates
- Timeline: ~8 weeks, first test to safe-to-host certificate
- CyberSigma team: VAPT lead, web/API testers, mobile security tester, remediation advisor
Challenge
The platform had never undergone independent penetration testing. Patient data flowed through APIs and mobile apps built at startup speed, and the empanelment deadline meant every finding — including criticals — had to be found, fixed, and re-verified inside a compressed window.
- No prior independent VAPT across any surface of the platform
- Patient health data flowing through untested public and partner APIs
- Mobile apps storing session artefacts with unverified protections
- Fixed empanelment deadline requiring a clean re-test and certificate
- Small engineering team needing precise, developer-ready remediation guidance
Objectives
- Execute CERT-In-aligned VAPT across web, API, mobile, and hosting infrastructure
- Identify and remediate all critical and high-severity vulnerabilities
- Provide developer-ready remediation guidance to a small engineering team
- Re-test to a clean result and issue the safe-to-host certificate
- Leave behind a repeatable annual testing cadence
Our Approach
1. Scoping & Threat Profiling
Assets, data flows, and integration points were mapped, and test cases were profiled around healthcare-specific risks: patient-record access control, report tampering, and cross-tenant data exposure.
2. Web & API Penetration Testing
Authenticated grey-box testing of the web application and APIs against OWASP Top 10 and API Top 10, with emphasis on authorisation flaws across patient, doctor, and admin roles.
3. Mobile Application Testing
Android and iOS apps were tested for insecure storage, transport weaknesses, and reverse-engineering exposure, including runtime analysis of session and token handling.
4. Remediation Support & Re-Test
Findings were delivered as developer-ready tickets with fix guidance; criticals were re-tested on fix, and a full verification round confirmed closure of approximately 40 vulnerabilities.
5. Certification & Cadence
On the clean re-test, the CERT-In-aligned report and safe-to-host certificate were issued for the empanelment submission, and a recurring annual testing calendar was agreed.
Solution
- CERT-In-aligned VAPT across web, public/partner APIs, Android and iOS apps, and hosting
- Healthcare-focused test profiling: patient-record authorisation, tenant isolation, report integrity
- Developer-ready findings with fix guidance sized for a small engineering team
- Full re-test cycle verifying closure of ~40 vulnerabilities including all criticals
- Safe-to-host certificate issued for the government empanelment submission
Results
- Approximately 40 vulnerabilities remediated, including all critical and high findings
- Critical authorisation flaws in patient-data APIs closed and re-verified
- Safe-to-host certificate issued within the ~8-week empanelment window
- Empanelment submission accepted with security testing requirements met
- Annual CERT-In-aligned testing cadence now in place
Liked the case study? Share on:



