For healthcare practices

External security checks for GPs, allied-health clinics, and specialists.

Recurring external security monitoring on the public surface of your practice. Plain-English findings, dated evidence for AHPRA cyber expectations and cyber insurance, written for the IT provider or web developer who actually fixes things. No exploitation, no clinical-system access, no replacement for a manual penetration test.

Run a free check View sample report
Why healthcare in particular

The shape of the risk for a practice like yours.

Four pressure points where external monitoring earns its keep.

Patient health information exposure

Your practice holds Medicare numbers, IHIs, clinical notes, pathology results, and prescribing data. The Privacy Act treats health information as sensitive information with stricter handling rules, and the Notifiable Data Breaches scheme means an exposure is reportable. A misconfigured booking page or an old subdomain pointing at a forgotten system is the kind of thing that becomes a breach notification.

E-prescribing and e-referral exposure

Practices increasingly send prescriptions and referrals through web-based portals and email. If the sending domain is not authenticated, prescription token emails and referral letters can be spoofed or land in spam. Pharmacies and specialists then receive forged messages, and the chain of trust around the patient breaks.

AHPRA cyber expectations and incident reporting

AHPRA and the National Boards have signalled increasing focus on cybersecurity for registered health practitioners, and the broader sector is moving toward shorter ransomware reporting windows. Recurring external monitoring with a dated evidence log is one of the simplest ways to show the practice has reasonable controls in place before something goes wrong.

Cyber insurance questions you cannot answer

Healthcare-focused cyber insurance questionnaires ask whether you run recurring vulnerability assessment, whether email authentication is configured, and whether subdomains and TLS are monitored. AttackEdge gives you dated evidence for the external part of those answers. It is one input to a renewal, not a certification.

What we check

The checks that matter for a clinic.

We focus on the public surface of the practice: the website, the booking page, the patient portal subdomain, email authentication, TLS, and any services you expose to patients or referrers.

What we checkWhy it mattersWho fixes it
Email authentication (SPF, DKIM, DMARC)Stops attackers from spoofing prescription, referral, or appointment emails from your domain. The most common attack vector against clinics is impersonation of the practice or the practitioner.Your IT provider or whoever manages the domain. Often a single afternoon to fix.
TLS certificate health and expiryExpired or weak TLS on a patient portal or online-booking page kills patient trust and triggers browser warnings. Insurance assessments flag weak cipher suites and short-key certificates.Hosting provider, practice-management vendor, or whoever runs the booking page.
Web application exposures (admin panels, exposed config files)Patient portals, document upload pages, online forms, and old WordPress installations are common entry points. We flag exposed admin paths, known vulnerable software versions, and orphaned plugins.Web developer or MSP. Usually a small set of plugin updates and a path rule.
Subdomain hygiene and shadow ITA staging copy of a patient portal, an old telehealth landing page, or a marketing site that still resolves in DNS is a real exposure. We discover and report subdomains so nothing is forgotten.Web developer or MSP.
HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against your booking flow and patient login pages.Web developer or hosting provider.
Public exposure of practice-owned IP addressesIf the clinic exposes services on a public IP (a mail server, an old file share, an RDP gateway for the receptionist), we report what is reachable and what looks risky.IT provider or MSP.
See full methodology
What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects clinical operations, your bookings, or patient care.

No practice-management integration

AttackEdge never connects to Best Practice, Medical Director, Genie, Cliniko, Halaxy, or any practice-management system. We only check what is on the public internet under your domain. Clinical data is never touched.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If a hospital procurement team or a regulator requires a pen test, you still need one. AttackEdge runs alongside, not instead.

Not an AHPRA certification

We are not an accreditation body and we do not certify compliance with AHPRA, RACGP, ADHA, or any other framework. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things.

View sample report See full methodology
Plan that fits

Most clinics pick SMB.

A typical multi-practitioner clinic has a main site, a booking subdomain, a patient portal, and a couple of legacy hosts. The SMB plan is the shape at A$99 per month for 50 scan units. Annual billing gives you twelve months for the price of ten. Solo practitioners with one website and one booking page can start on Solo at A$39 per month for 15 scan units. The Snapshot at A$149 is a one-off baseline if you only need a single PDF before a cyber-insurance renewal.

View subscriptions View SnapshotRun a free check
Common questions

From other healthcare practices.

  • Will my practice-management system (Best Practice, Medical Director, Genie, Cliniko, Halaxy) be affected?

    No. AttackEdge does not connect to your practice-management or clinical systems. We only scan what your domain exposes on the public internet (the website, DNS, email authentication, TLS, and any portals or services reachable from outside). Patient records inside your PMS are not touched.

  • Does AttackEdge handle patient data?

    No. AttackEdge is an external scanner. It does not request, read, or store patient information. We see only what an attacker on the public internet would see (HTTP responses, DNS records, TLS certificates, response headers). Health information stays inside your clinical systems.

  • Does this satisfy AHPRA cyber requirements or RACGP accreditation?

    AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and clinical-governance frameworks ask about. It is evidence, not a certification. AHPRA, RACGP, and accreditation bodies also look at MFA, training, incident response, and internal controls that sit inside your environment. We are not an accreditation body and we do not certify compliance.

  • We are a single GP working from a serviced suite. Is this overkill?

    Probably not. Solo practitioners with a booking page, a website, and one or two subdomains can fit the Solo plan at A$39 per month with 15 scan units. Most multi-practitioner clinics fit the SMB plan at A$99 per month with 50 scan units, which covers the main site, a booking subdomain, a patient portal, and a few legacy hosts. If you only need a single PDF before a cyber-insurance renewal, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.

  • Is the data hosted in Australia?

    Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

  • How often do scans run?

    You set the cadence on Solo and SMB โ€” schedule weekly, monthly, or run manual scans whenever you want. Every scan (scheduled or manual) consumes one scan unit. The same host can be scanned up to 4 times in 24 hours, so a post-fix retest does not have to wait. One-off Snapshots run a single bundled scan and deliver a PDF with a 30-day download window.

See what attackers see

Ready to see what your practice looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show an insurer or an accreditor.

Start a scan Run a free check
Hosted in Sydney ยท Passive scanning only ยท From A$39 per month