Products
Bug Bounty Program
Industry
Healthcare
-
Challenge
- In Healthcare, PHI (Personal Health Information) security is critically important, not just from a confidentially standpoint, but from an integrity standpoint.
- As healthcare continues to move into the digital age, effective cybersecurity measures are crucial for operational resiliency.
- Knowing the expanding attack surface and active adversaries, Redox was not content with the status quo, taking it one step further with crowdsourced security.
-
Outcomes
- Bug bounties more accurately reflect what real attackers are doing in terms of time and effort.
- Continuous testing in a safe way, ensuring Redox is not putting customer data at risk.
- Redox can exercise process for handling vulnerabilities more regularly which helps ensure it is a well-oiled machine, rather than dealing with issues after every pen test.
Security at Redox
Redox is a leading full-service integration platform that accelerates the development and distribution of healthcare software solutions to securely and efficiently exchange data. The Redox Platform exists to make healthcare data useful and every patient experience a little bit better. Redox works with more than 450 healthcare providers and hundreds of application developers. The company works with digital health companies, ranging from large integrated health systems and academic medical centers like Geisinger and Cleveland Clinic to fast-growing startups like Glooko and American Well.ar.
Many in the healthcare industry are keenly aware of the growing cybersecurity threats; however, understanding how to secure healthcare information systems effectively is a complex challenge that security leaders struggle with. Redox needed a solution to ensure the sensitive patient data flowing through its platform was protected and the company’s security practices comply with both government regulations and customer requirements.
Redox launched a private Bug Bounty with Bugcrowd, with the goal to take the program public within the same year. The company did just that — publicly incentivizing the hacker, pentester, and security researcher community to contribute highly critical vulnerability submissions to its crowdsourced security program.
Cybersecurity & Healthcare
In Healthcare, PHI (Personal Health Information) security is critically important, not just from a confidentially standpoint (an item of PHI is valued at over 100 times that of a credit card number on the black market), but from an integrity standpoint. Manipulating this data in flight or at rest can have severe implications to real patients. This creates a strong security culture in the industry, but it also causes us to be highly regulated – making advancements in technology, even security, more challenging.
Today, attack surfaces are growing with increased technology adoption and more data and infrastructure in healthcare. IT systems, connected medical devices, digital health applications, electronic patient records – the list goes on. Standards like ISO / IEC 800001 and the NIST Cybersecurity Framework are pushing healthcare IT to make change. As healthcare continues to move into the digital age, effective cybersecurity measures are crucial for operational resiliency. Each new healthcare technology offers immense value to patients but also brings unique cybersecurity risks.
Redox takes a layered approach to application security testing, including pen testing, vulnerability scanning, code reviews, and threat modeling. But knowing the expanding attack surface and active adversaries, Redox was not content with the status quo, taking it one step further with crowdsourced security.
Redox launched its private bug bounty with Bugcrowd in July 2018. Private bug bounty programs allow organizations to harness the power of the Elite Crowd – diversity of skills and perspective at scale – in a more controlled environment. At Bugcrowd, only those hackers who have a proven track record, those who have proven their skill and trustworthiness receive invitations to private programs. Private programs can be scoped or built around a customer’s testing needs and parameters. A private program can also meet requirements around background checking, ID verification or even location.
This approach proved very successful and allowed the company to increase the scope of the program over time. After running a wider scope private program for a few months, Redox took the program public in 2019.
Taking Redox’s program public has increased scrutiny the application gets to ensure security issues are detected earlier and more consistently, as the targets are exposed to new, fresh individuals with an even bigger array of skill sets, perspectives and abilities; as well as increased awareness of its security maturity among its customers.

The Redox healthcare integration platform is built on the promise that organizations can securely and efficiently exchange data. Crowdsourced security is a valuable part of our security strategy, and due to our highly segregated environment we have been able to set up this bug bounty program with Bugcrowd to do testing in a safe way, ensuring we are not putting customer data at risk.
Working with Bugcrowd: Measuring Results
Over the course of both the private and public programs, Redox has been able to maintain strong engagement across targets. This program is just one part of Redox’s overall product and application security program supporting this process helps Redox identify potential vulnerabilities sooner and reduces the risk of patient data being inappropriately accessed or exposed.
Healthcare cybersecurity is a serious undertaking. Attacks can compromise not only networks and data, but also threaten those applications and services supporting critical patient care systems. It’s important to consider a defense-in-depth approach to cybersecurity and employ crowdsourced security to level the playing field.
Bugcrowd enables healthcare professionals to assess the risk associated with disparate data sources and infrastructure so patients don’t have to worry about data privacy. Additionally, with our comprehensive methodology, coverage analysis and reporting, Bugcrowd ensures the administrative, physical and technical safeguards are in place to comply with HIPAA.
Subscribe for updates
Read more customer case studies
Get Started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.