Synced 16 Jun 2026 15:24 UTC Account
← Home
HIPAA Security Rule · 45 CFR Part 164

Software vulnerability risk management for HIPAA

The Security Rule's risk analysis and risk management (§164.308(a)(1)) require you to find and reduce risks to ePHI — including known software vulnerabilities. IsItPatched delivers that from an SBOM — a component inventory, known and actively-exploited CVEs, prioritisation, the minimum safe version, end-of-life tracking and exportable evidence. It never touches ePHI.

Scan your SBOM → Monitor your components Export HIPAA pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for everyone handling ePHI

Covered entities

Providers, health plans and clearinghouses. Evidence the software-vulnerability part of your security risk analysis without new tooling.

Business associates

Vendors and SaaS handling ePHI on a client's behalf. Show a continuous vulnerability-management process for your stack.

Security & compliance teams

A repeatable record: inventory components, prioritise by exploitation, track remediation and end-of-life.

HIPAA Security Rule → what IsItPatched gives you

Risk analysis (§164.308(a)(1)(ii)(A))

Scan a CycloneDX/SPDX SBOM to identify software vulnerabilities in the systems that handle ePHI — an input to your risk analysis.

Scan an SBOM →

Risk management (§164.308(a)(1)(ii)(B))

Risk-ranked by actively-exploited (CISA KEV) and high-EPSS status, with the minimum safe version — to reduce risk to a reasonable level.

See actively-exploited CVEs →

Periodic evaluation (§164.308(a)(8))

Re-scan and monitor over time as new vulnerabilities surface, with email alerts on your tracked components.

Open your dashboard →

End-of-life & evidence

End-of-life tracking flags unsupported software; export a risk register and VEX as risk-assessment evidence.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — your risk-management record

Sign in (free, no password) to sync your component stack and generate these from your dashboard. Your SBOM is parsed in your browser — it never leaves your device, and IsItPatched never handles ePHI.

Build your evidence →

Straight with you: the HIPAA Security Rule covers far more — access & audit controls, encryption, workforce training, contingency planning — and the wider HIPAA Rules add privacy and breach notification. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the software-vulnerability identification and risk-management evidence specifically, and never touches ePHI. It is not legal advice and not a compliance assessment. Disclaimer.

HIPAA Security Rule — frequently asked

What is the HIPAA Security Rule?

The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to protect electronic protected health information (ePHI) with administrative, physical and technical safeguards. Software vulnerability and patch management sit within the Security Management Process — §164.308(a)(1): the risk analysis (a)(1)(ii)(A) and risk management (a)(1)(ii)(B) — and the periodic evaluation (§164.308(a)(8)). A proposed 2025 update to the rule would make vulnerability scanning and patching more explicit.

How does IsItPatched help with HIPAA?

It supports the risk analysis and risk management of software vulnerabilities in systems that handle ePHI: scan a CycloneDX/SPDX SBOM to inventory components, identify and risk-rank their known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version, track end-of-life software, and export a risk register / VEX as evidence for your security risk assessment.

Does IsItPatched make us HIPAA compliant?

No. The Security Rule covers far more — access controls, audit controls, encryption, workforce training, contingency planning and breach notification under the wider HIPAA Rules. IsItPatched helps with the software-vulnerability identification and risk-management evidence specifically. It is informational, built on public data — not legal advice, not a covered-entity assessment, and it never touches ePHI.

Subject to more than one regime? See all our compliance editions →