Live scan executed 2026-05-09 against Azure subscription 4f29d094-1079-44c9-acb0-4d73a7a2dd34 | HEALTHCARE tier | 14 agents | All findings auto-pushed to
Detector:PHI-001 Storage account containing Protected Health Information (PHI) has server-side encryption disabled. Blob containers with patient records, lab results, and discharge summaries are stored in cleartext, exposing ePHI to unauthorized access if the storage layer is compromised.
Enable Azure Storage Service Encryption (SSE) with Microsoft-managed keys at minimum. For PHI workloads, use customer-managed keys (CMK) stored in a dedicated Key Vault with soft-delete and purge protection enabled. Rotate keys every 90 days per HIPAA Security Rule requirements.
FORGE Auto-Fix Applied: Playbook: FRG-PHI-001 Action: Enabled AES-256 SSE with Microsoft-managed keys on all blob containers. Initiated CMK migration request. Command: az storage account update --name titanphiunencrypted --resource-group titan-tier-test-20260508-144346 --encryption-services blob file queue table --encryption-key-source Microsoft.Storage
Citation: HIPAA 164.312(a)(2)(iv) Encryption and Decryption; HITRUST 09.ab Monitoring System Use; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 SC-28 Protection of Information at Rest
Detector:HIP-003 The FHIR R4 API endpoint exposes the bulk $export operation without requiring OAuth 2.0 bearer token authentication. An unauthenticated caller can initiate a full patient data export, extracting the entire patient population dataset including demographics, diagnoses, medications, and insurance information.
Enforce Azure Active Directory authentication on all FHIR API endpoints. Configure SMART on FHIR scopes to restrict bulk $export to authorized backend service principals only. Implement IP allowlisting and request throttling on the $export endpoint. Enable audit logging for all bulk data access operations.
Change Request Filed: CHG ID: CHG20260509-002 Justification: Enabling mandatory AAD authentication on FHIR bulk export requires application-level changes and downstream consumer re-authorization. Requires coordinated deployment window with EHR integration team. Status: Pending CAB review
Citation: HIPAA 164.312(d) Person or Entity Authentication; HITRUST 01.b User Registration; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 IA-2 Identification and Authentication
CRITICALhipaaP90INC AUTO-FIXEDINC20260509-HC003
HL7v2 ADT feed transmitting SSN in cleartext over TCP
Detector:HIP-007 HL7v2 ADT (Admit/Discharge/Transfer) messages containing patient Social Security Numbers in PID-19 segment are transmitted over unencrypted TCP port 2575. Network packet inspection confirmed SSN values visible in plaintext during transit between the ADT interface engine and the Application Gateway backend pool.
Terminate all HL7v2 listeners on unencrypted TCP and migrate to MLLP over TLS (MLLP+S). Configure the Application Gateway with a TLS termination policy using a minimum of TLS 1.2. Redact or tokenize SSN in PID-19 at the interface engine before transmission where clinically permissible.
FORGE Auto-Fix Applied: Playbook: FRG-HIP-007 Action: Disabled unencrypted TCP listener on port 2575. Configured TLS 1.2 backend setting on the Application Gateway health probe and backend HTTP settings for MLLP+S. Command: az network application-gateway http-settings update --gateway-name titan-hl7-gateway --resource-group titan-tier-test-20260508-144346 --name hl7BackendSettings --protocol Https --port 2576
Detector:AUD-001 Azure Activity Log diagnostic settings are not configured at the subscription level. Administrative actions, security events, resource health changes, and data-plane access operations are not being captured to a centralized Log Analytics workspace or storage account. This creates a gap in the audit trail required for breach investigation and compliance reporting.
Configure a subscription-level diagnostic setting that sends all Activity Log categories (Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth) to a dedicated Log Analytics workspace. Set retention to a minimum of 6 years per HIPAA record retention requirements. Enable immutable storage for audit log archives.
FORGE Auto-Fix Applied: Playbook: FRG-AUD-001 Action: Created diagnostic setting forwarding all Activity Log categories to the existing Log Analytics workspace. Enabled 2190-day (6-year) retention policy on the workspace. Command: az monitor diagnostic-settings create --name titan-audit-diag --resource /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34 --workspace /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.OperationalInsights/workspaces/titan-healthcare-logs --logs "[{category:Administrative,enabled:true},{category:Security,enabled:true},{category:ServiceHealth,enabled:true},{category:Alert,enabled:true},{category:Recommendation,enabled:true},{category:Policy,enabled:true},{category:Autoscale,enabled:true},{category:ResourceHealth,enabled:true}]"
Detector:PHI-004 Storage account designated as the PHI archive retains patient data blobs in the hot access tier for 180 days before lifecycle management moves them to cool storage. The organization retention policy mandates that PHI older than 90 days must be migrated to archive-tier immutable storage. This 90-day gap increases exposure window and storage cost for sensitive ePHI.
Update the blob lifecycle management policy to transition PHI blobs from hot to cool tier at 30 days and from cool to archive tier at 90 days. Enable immutable storage with a legal hold on the archive container. Validate that the retention schedule aligns with the organization data classification policy and state-specific medical records retention laws.
Change Request Filed: CHG ID: CHG20260509-005 Justification: Modifying PHI lifecycle policy from 180-day to 90-day archive transition affects downstream analytics pipelines and reporting dashboards that query hot-tier data. Requires impact assessment with clinical informatics team. Status: Pending CAB review
Citation: HIPAA 164.530(j) Retention Period; HITRUST 09.p Disposal of Media; SOC 2 CC6.5 Disposal of Assets; NIST 800-53 SI-12 Information Management and Retention
HIGHbaaP70CHG AWAITING APPROVALCHG20260509-HC006
BAA not executed for active cloud vendor handling PHI
Detector:BAA-002 The healthcare subscription is actively processing Protected Health Information but no Business Associate Agreement (BAA) has been executed with the cloud service provider for this subscription. Under HIPAA, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity must have a signed BAA in place before processing begins.
Execute a Business Associate Agreement with the cloud provider through the Azure Trust Center. Ensure the BAA covers all services used to process PHI in this subscription including Storage, SQL Database, FHIR API, Key Vault, and App Service. Maintain the executed BAA in a compliance repository with annual renewal tracking.
Change Request Filed: CHG ID: CHG20260509-006 Justification: BAA execution requires legal review and signature authority from the organization Privacy Officer and cloud vendor contract manager. Cannot be auto-remediated. Status: Pending CAB review
Citation: HIPAA 164.502(e) Business Associate Contracts; HITRUST 05.i Identification of Risks Related to External Parties; SOC 2 CC9.2 Vendor Risk Management; NIST 800-53 SA-9 External Information System Services
Detector:SEC-011 The patient-facing web portal issues session tokens with a static lifetime and no server-side rotation. Analysis of the App Service authentication configuration shows session cookies persisting beyond 30 minutes without re-authentication or token refresh. This allows session hijacking attacks to maintain unauthorized access to patient health records indefinitely.
Configure sliding session expiration with a maximum lifetime of 30 minutes for patient portal sessions. Implement server-side session token rotation on every authenticated request. Enable idle timeout at 15 minutes. Bind session tokens to the client IP and user-agent to prevent session fixation attacks.
Change Request Filed: CHG ID: CHG20260509-007 Justification: Session token rotation requires application code changes to the authentication middleware and load balancer session affinity configuration. Requires QA regression testing against patient-facing workflows. Status: Pending CAB review
Citation: HIPAA 164.312(d) Person or Entity Authentication; HITRUST 01.t Session Time-out; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 AC-12 Session Termination
HIGHsentinelP70INC AUTO-FIXEDINC20260509-HC008
EHR database backup stored without encryption at rest
Detector:SEN-004 The EHR SQL database containing patient records has Transparent Data Encryption (TDE) disabled. Automated backup files (.bak) are stored without encryption, meaning a compromised backup file would expose the full patient database including demographics, clinical notes, medication history, and insurance details in plaintext.
Enable Transparent Data Encryption (TDE) on the SQL database using a service-managed key or a customer-managed key stored in Key Vault. Verify that automated backup retention inherits the TDE configuration. Enable Azure Defender for SQL to monitor for anomalous database activity and potential data exfiltration.
FORGE Auto-Fix Applied: Playbook: FRG-SEN-004 Action: Enabled Transparent Data Encryption on the patientrecords database. Verified backup encryption inheritance. Enabled Azure Defender for SQL. Command: az sql db tde set --database patientrecords --server titan-ehr-sql --resource-group titan-tier-test-20260508-144346 --status Enabled
Citation: HIPAA 164.312(a)(2)(iv) Encryption and Decryption; HITRUST 06.d Data Protection; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 SC-28 Protection of Information at Rest
HIGHbastionP70INC AUTO-FIXEDINC20260509-HC009
NSG allows unrestricted RDP (3389) from internet to clinical workstations
Detector:BAS-001 Network Security Group attached to the clinical workstation subnet contains an inbound rule allowing TCP port 3389 (RDP) from source 0.0.0.0/0. This exposes clinical workstations with access to the EHR system directly to brute-force attacks, credential stuffing, and known RDP exploits (BlueKeep, DejaBlue) from any internet source.
Remove the unrestricted RDP inbound rule immediately. Deploy Azure Bastion for just-in-time administrative access to clinical workstations. If direct RDP is required for clinical workflows, restrict source IP ranges to the organization VPN gateway subnet only. Enable Network Watcher NSG flow logs to audit all connection attempts.
Detector:CMP-008 The Key Vault storing PHI encryption keys and FHIR API credentials has an access policy granting GET permissions on secrets and keys to a service principal with tenant-wide scope. This broad access violates the principle of least privilege and allows any application registered under the overly permissive service principal to retrieve PHI encryption keys.
Migrate from vault access policies to Azure RBAC for Key Vault. Assign the Key Vault Secrets User role scoped to individual secrets required by each application. Remove the overly broad service principal access policy. Enable Key Vault firewall and restrict network access to specific VNet subnets hosting authorized applications.
Change Request Filed: CHG ID: CHG20260509-010 Justification: Migrating Key Vault from access policies to RBAC requires re-authorization of all dependent applications and services. Risk of service disruption if dependent applications lose access during migration. Requires inventory of all service principals currently consuming secrets. Status: Pending CAB review
Detector:SCT-015 The API Management instance hosting the clinical FHIR REST API does not enforce rate limiting on the /Patient/$everything endpoint. This operation returns the complete health record for a patient and is computationally expensive. Without throttling, an attacker with a valid token could enumerate and exfiltrate the entire patient database through rapid sequential calls.
Apply a rate-limit-by-key policy on the /Patient/$everything endpoint in API Management. Set a maximum of 10 calls per minute per subscription key. Implement a quota policy of 100 calls per hour. Add IP-based throttling as a secondary defense layer. Enable API Management analytics to detect anomalous call patterns.
Change Request Filed: CHG ID: CHG20260509-011 Justification: Adding rate limiting policy to the clinical FHIR API requires load testing to validate that legitimate EHR integration workflows are not impacted by the throttle thresholds. Coordinated testing with clinical application vendors required. Status: Pending CAB review
Citation: HIPAA 164.312(a)(1) Access Control; HITRUST 09.m Network Controls; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 SC-5 Denial of Service Protection
Detector:SEC-019 The DICOM medical imaging viewer web application renders patient name metadata from DICOM headers without HTML entity encoding. An attacker who can inject a crafted DICOM file with a malicious patient name tag (0010,0010) can execute arbitrary JavaScript in the browser session of any clinician viewing the study. This enables session hijacking and unauthorized PHI access.
Implement server-side output encoding for all DICOM metadata fields rendered in the web viewer. Apply Content-Security-Policy headers to prevent inline script execution. Sanitize DICOM tag values at ingestion time using an allowlist of permitted characters. Deploy a Web Application Firewall with XSS detection rules in front of the DICOM viewer.
Change Request Filed: CHG ID: CHG20260509-012 Justification: Fixing the stored XSS vulnerability requires application code changes to the DICOM viewer rendering engine. Sanitization logic must be validated against DICOM conformance standards to avoid corrupting clinical display. Requires security regression testing. Status: Pending CAB review
Citation: HIPAA 164.312(a)(1) Access Control; HITRUST 10.b Input Data Validation; SOC 2 CC7.1 Detection of Changes; NIST 800-53 SI-10 Information Input Validation
Detector:AIG-003 AI behavioral analysis detected an anomalous pattern: a service account executed bulk SELECT queries against the patient demographics table between 02:00-04:00 UTC, outside of normal ETL processing windows. The query volume exceeded the 30-day baseline by 340%. This pattern is consistent with unauthorized data exfiltration or compromised service account credentials.
Investigate the service account activity immediately. Rotate the service account credentials. Restrict the service account SQL permissions to only the tables and operations required for its designated ETL workflow. Implement time-based conditional access policies that block service account queries outside of the approved maintenance window (06:00-08:00 UTC).
Change Request Filed: CHG ID: CHG20260509-013 Justification: Restricting service account access requires identification of all dependent ETL workflows and batch jobs. Credential rotation must be coordinated with application teams to prevent service disruption. Requires forensic investigation before remediation. Status: Pending CAB review
Citation: HIPAA 164.312(b) Audit Controls; HITRUST 09.ab Monitoring System Use; SOC 2 CC7.2 System Monitoring; NIST 800-53 SI-4 Information System Monitoring
MEDIUMpulseP50INC AUTO-FIXEDINC20260509-HC014
Storage account diagnostic logs not enabled for PHI containers
Detector:PLS-002 The storage account hosting PHI container logs does not have its own diagnostic settings configured. Blob read, write, and delete operations on containers holding patient documents, imaging files, and clinical attachments are not being audited. This creates a blind spot in the access trail for sensitive healthcare data.
Enable diagnostic settings on the storage account to capture StorageRead, StorageWrite, and StorageDelete operations for all blob services. Forward logs to the centralized Log Analytics workspace. Set a minimum retention period of 6 years. Configure alerting rules for bulk delete operations on PHI containers.
FORGE Auto-Fix Applied: Playbook: FRG-PLS-002 Action: Enabled diagnostic settings for blob service capturing StorageRead, StorageWrite, and StorageDelete categories. Forwarding to the centralized Log Analytics workspace. Command: az monitor diagnostic-settings create --name titan-phi-diag --resource /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphilogs/blobServices/default --workspace /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.OperationalInsights/workspaces/titan-healthcare-logs --logs "[{category:StorageRead,enabled:true},{category:StorageWrite,enabled:true},{category:StorageDelete,enabled:true}]"
Detector:PRD-001 The production resource group containing all healthcare tier resources does not have a CanNotDelete management lock applied. Any user or automation with Contributor or Owner RBAC role can accidentally or maliciously delete the entire resource group and all contained resources including databases, storage accounts, and FHIR services, causing catastrophic data loss and service disruption.
Apply a CanNotDelete management lock at the resource group level. Implement a secondary ReadOnly lock on critical child resources (SQL databases, Key Vaults, FHIR services). Restrict lock management permissions to the subscription Owner role only. Configure Azure Policy to enforce lock presence on all production resource groups.
Change Request Filed: CHG ID: CHG20260509-015 Justification: Applying delete locks to the production resource group may interfere with active CI/CD pipelines that perform resource recreation during deployments. Requires validation against deployment automation and IaC templates before enforcement. Status: Pending CAB review
Citation: HIPAA 164.310(d)(1) Device and Media Controls; HITRUST 09.l Back-up; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 CP-9 Information System Backup
Detector:CND-005 The API Management gateway serving clinical FHIR endpoints still accepts TLS 1.0 and TLS 1.1 connections. These protocol versions contain known vulnerabilities (POODLE, BEAST) that allow man-in-the-middle attackers to decrypt PHI transmitted between clinical applications and the API gateway. PCI DSS and HIPAA both mandate TLS 1.2 as the minimum protocol version.
Disable TLS 1.0 and TLS 1.1 on the API Management gateway. Set the minimum TLS version to 1.2. Configure the cipher suite to use only strong algorithms (ECDHE, AES-GCM). Enable HSTS headers with a minimum max-age of 31536000 seconds. Monitor TLS handshake logs for clients still attempting deprecated protocol versions.
FORGE Auto-Fix Applied: Playbook: FRG-CND-005 Action: Disabled TLS 1.0 and TLS 1.1 protocols. Set minimum TLS version to 1.2. Updated custom domain SSL bindings to enforce TLS 1.2. Command: az apim update --name titan-clinical-apim --resource-group titan-tier-test-20260508-144346 --set properties.customProperties."Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10"="false" properties.customProperties."Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11"="false"
Detector:FRG-012 The patient portal web application authenticates to backend services (SQL Database, Key Vault, Storage) using stored connection strings with embedded credentials instead of Azure Managed Identity. Stored credentials in application settings create a credential sprawl risk and require manual rotation, increasing the probability of credential exposure through configuration dumps or application vulnerabilities.
Enable system-assigned managed identity on the App Service. Grant the managed identity appropriate RBAC roles on downstream resources (SQL Database Contributor, Key Vault Secrets User, Storage Blob Data Reader). Replace connection strings with managed identity token acquisition using the Azure Identity SDK. Remove all stored credential-based connection strings from App Service configuration.
FORGE Auto-Fix Applied: Playbook: FRG-012 Action: Enabled system-assigned managed identity on the patient portal App Service. Identity object ID registered for downstream RBAC assignment. Command: az webapp identity assign --name titan-patient-portal --resource-group titan-tier-test-20260508-144346
Citation: HIPAA 164.312(d) Person or Entity Authentication; HITRUST 01.q User Identification and Authentication; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 IA-5 Authenticator Management
MEDIUMbastionP50INC AUTO-FIXEDINC20260509-HC018
VM OS disk encryption not enabled on clinical imaging workstation
Detector:BAS-009 The clinical DICOM imaging workstation virtual machine has Azure Disk Encryption (ADE) disabled on its OS disk. The VM processes and temporarily caches medical imaging files (X-rays, MRIs, CT scans) that contain patient PHI embedded in DICOM metadata. An unencrypted OS disk snapshot or VHD export would expose cached patient imaging data.
Enable Azure Disk Encryption on the OS and all data disks of the clinical imaging workstation. Use BitLocker (Windows) or DM-Crypt (Linux) backed by Key Vault-stored encryption keys. Ensure the Key Vault has soft-delete and purge protection enabled. Verify encryption status after enablement using the az vm encryption show command.
FORGE Auto-Fix Applied: Playbook: FRG-BAS-009 Action: Enabled Azure Disk Encryption on OS disk using the PHI Key Vault for key storage. Encryption provisioning initiated successfully. Command: az vm encryption enable --name titan-dicom-ws01 --resource-group titan-tier-test-20260508-144346 --disk-encryption-keyvault /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.KeyVault/vaults/titan-phi-keyvault --volume-type OS
Citation: HIPAA 164.312(a)(2)(iv) Encryption and Decryption; HITRUST 06.d Data Protection; SOC 2 CC6.1 Logical and Physical Access Controls; NIST 800-53 SC-28 Protection of Information at Rest
TITAN AI - HEALTHCARE tier live proof - generated 2026-05-09
All 18 findings auto-forwarded to(Incident + Change Request tables) titanaisec.com