A clinical operations team's HIPAA Security Rule scope reaches a moment of truth at the application edge. Patient portal traffic terminates here. EHR access decisions are made here. ePHI flows in and out here. The Technical Safeguards under 164.312 — encrypt in transit, control access, authenticate users, audit activity, preserve integrity — are almost entirely application-edge controls. So is most of 164.308's Information Access Management.
The classic responses are both expensive. The bolt-on kit: a WAAP module from one vendor, an access module with MFA from another, a multi-tenancy add-on for multi-site organizations, a data masking add-on for PHI patterns — each licensed separately, each with its own operator console, each integrated by your team. The cloud edge: move ePHI traffic to a third-party WAAP and put the path between the user and the clinical application on someone else's platform — efficient until your governance team asks where ePHI is being inspected and your answer involves a contract clause.
The third path is the one most clinical operations teams actually want: one platform that covers the HIPAA controls that live at the application edge, on the network already inside the audit boundary. TR7 is built for that path. TLS, WAAP, MFA at every account that reaches ePHI, vTenant isolation, PHI masking and audit on the same TR7. The auditor asks for the artifacts; one operator console produces them.
Each control matters on its own. Taken together, they describe what HIPAA compliance looks like when the application edge runs on a single platform you already operate.
TLS termination on the TR7 edge with modern ciphers, current certificates, OCSP stapling, HSTS and the option to enforce mTLS where the use case allows. ePHI on the wire meets the 164.312(e)(2)(ii) encryption expectation before it reaches the clinical backend.
AAM Per-Service Authentication wraps every ePHI-facing application with unique user identification, role-based access policy, configurable session timeouts and auto-logoff. The clinical application receives the user identity it expects; TR7 enforces the access control surface in front of it.
MFA enforced at the edge for every account reaching ePHI through TR7 — clinical staff, administrators, contractors, service accounts. OIDC, SAML, TOTP, FIDO2 native. The HHS 2024-12-27 Notice of Proposed Rulemaking removes the "addressable" classification from MFA and makes it mandatory; TR7 is already aligned with that model.
vTenant provides administrative, operational and observational isolation between ePHI and non-ePHI workloads on the same TR7 infrastructure. QoS pools give clinical traffic its own bandwidth envelope; per-vService route tables keep ePHI-bound flows distinct. For multi-site healthcare organizations and BAA service providers, vTenant scales the isolation to many tenants without a separate appliance per site or per client.
TR7 detects PHI patterns — medical record numbers, names, dates of birth, identifiers — in API and HTML responses and masks them per policy before they leave the application edge. Supports the minimum-necessary disclosure principle for outputs to staff with narrower roles, without changing application code.
Access events, traffic decisions, WAAP detections, MFA outcomes and SSH sessions to clinical infrastructure share one audit trail. SSH command-level capture for administrative sessions is investigation-ready without a separate PAM product. SIEM export uses a consistent taxonomy across the platform — the artifacts an assessor or breach investigator asks for come from one place.
Every capability below runs on the same TR7 platform that delivers and protects your modern services.
Current TLS versions, modern cipher suites, OCSP stapling, automatic certificate management. Optional mTLS where appropriate. Supports 164.312(e) Transmission Security expectations on ePHI in transit.
10,000+ signatures plus an 11-factor scoring engine. OWASP categories, framework-specific protections for common healthcare stacks, CWE/CAPEC/MITRE mapping for audit and incident traceability. Inline blocking or detect-only modes.
AAM Per-Service Authentication wraps a legacy EHR or clinical application with OIDC or SAML SSO from your IdP. The legacy backend receives the credential artifact it expects; clinical staff authenticate the modern way with MFA. Useful for EHR-fronted portals where the underlying clinical system cannot be changed by the customer.
Multi-factor authentication at the access edge for every account that touches ePHI through TR7. Step-up authentication when context changes — different device, different geography, sensitive resource. Aligned with the HHS 2024 NPRM direction on mandatory MFA.
Browser-based access to medical device controllers, PACS workstations, lab instruments, EHR admin consoles. No native client on the operator endpoint. Sessions tunneled and audited at the command level; one revoke ends every active session.
Per-application session timeouts enforce auto-logoff at the access edge, satisfying 164.312(a)(2)(iii) without changes to clinical application code. Step-up reauthentication when the session continues past policy thresholds.
Multi-tenant isolation at the platform level. Hospital chains, regional health systems and clinical SaaS providers can give each site, business unit or customer its own administrative, operational and observability boundary. ePHI-scoped tenants run alongside non-ePHI tenants without commingled configuration, audit or traffic.
ePHI traffic in its own bandwidth envelope; ePHI-bound flows in dedicated route tables. Network segmentation between clinical and non-clinical workloads — exactly the segmentation direction the HHS 2024 NPRM proposes to make mandatory.
Configurable pattern masking on outbound responses. Medical record numbers, patient names, dates of birth, identifiers truncated or suppressed per role policy. Supports the minimum-necessary disclosure principle on the egress path.
HL7 over TCP between systems, DICOM-style imagery for radiology workflows, FTP for lab data exchange, plain TCP/UDP for clinical instruments — purpose-built listeners on the same engine as the HTTP WAAP. One platform, one operator console, one audit trail.
One audit trail across delivery, security, access and DDoS layers. SIEM export with consistent taxonomy. Supports 164.312(b) Audit Controls and 164.308(a)(1)(ii)(D) Information System Activity Review obligations on the application edge.
SSH sessions reaching clinical infrastructure through the TR7 gateway are captured at the command level — every command, every response. Investigation-grade audit for the privileged access HIPAA Security Rule cares about, without a separate PAM product.
TR7 runs on your hardware, in your data centre, under your network controls. ePHI traffic and audit logs do not transit a third-party edge. No business associate agreement is needed for the TR7 platform itself because TR7 does not host your ePHI — the platform runs in your environment.
TR7 covers a specific surface of the HIPAA Security Rule — the application edge. The map below is honest about what that does and does not include.
Unique user identification via AAM and your IdP. Emergency access procedures via per-tenant break-glass flows. Automatic logoff via configurable session timeouts at the access edge. Encryption/decryption of ePHI in transit via the TLS edge. All enforced in front of the clinical application, without code changes.
Centralized record and review across access events, WAAP detections, MFA outcomes, traffic decisions and command-level SSH sessions. SIEM export with consistent taxonomy. Configurable retention. Investigation-grade artifacts on demand.
TLS in transit provides cryptographic integrity on the wire. Content-aware response inspection detects unauthorized modification of outbound content. Integrity at rest is a storage-layer concern that complements rather than overlaps with the application-edge layer.
MFA enforced at the access edge through AAM. Native OIDC, SAML, TOTP, FIDO2. Step-up authentication when context changes. The HHS 2024 NPRM direction making MFA mandatory aligns with how TR7 already deploys.
TLS termination at the edge with modern ciphers, current certificates and modern protocol versions. HSTS, OCSP stapling, optional mTLS. Internal backend legs can also be TLS-protected from the TR7 edge.
AAM enforces per-application access policy at the application edge. Identity, device posture, geography, time-of-day and MFA strength feed access decisions. Workforce members reach only the clinical applications their role authorises.
Access events are logged and reviewable in the centralized audit trail. Failed authentication attempts, MFA challenges and step-up outcomes are captured for investigation and trend analysis.
The HHS 2024-12-27 Notice of Proposed Rulemaking would make MFA, encryption in transit, network segmentation around ePHI, and several other controls explicitly mandatory rather than "addressable." TR7 already deploys these as core capabilities — customers planning for the final rule are already aligned on the application-edge controls.
TR7 is the application-edge layer of a HIPAA programme. It does not replace 164.310 Physical Safeguards, workforce training, security policies, risk analysis, business associate management, contingency planning, encryption at rest (storage layer), vulnerability scanning, penetration testing, asset inventory or patch management. These are complementary controls in a complete HIPAA programme.
Patient portals, clinician access, EHR-fronted public services. TR7 places TLS, WAAP, MFA and PHI masking in front of every ePHI-facing application; vTenant separates clinical workloads from non-clinical infrastructure on the same platform.
Video, scheduling, clinical messaging and patient APIs. Edge TLS, WAAP on every API, MFA on every clinician account, centralized audit for 164.312(b) — without spreading the controls across four vendors.
Business associates serving many covered entities. vTenant gives each covered-entity customer its own administrative and audit boundary on shared TR7 infrastructure. PHI masking and access controls apply per tenant; BAA evidence comes from one consistent operator surface.
DICOM imagery, HL7 message flows, FTP-based lab data and TCP/UDP clinical instruments — non-HTTP traffic on the same platform as the HTTP WAAP. Clientless RDP/SSH for PACS administrator access without distributing native clients.
Many clinical sites, one operator team. vTenant scales site isolation; QoS pools keep each site's traffic separate; route tables keep ePHI flows distinct. Site-level audit boundaries without one appliance per location.
ePHI for research with stricter least-privilege boundaries. AAM Per-Service Authentication with role-aware access policy; PHI masking on staff-facing dashboards and APIs; audit trail for IRB and sponsor obligations.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Server-rendered pages with pixel-level modifications — readable on screen for the user, nonsense to OCR engines and AI vision models when extracted as an image.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with credential vault, recording, and watermark built in.
Three MFA methods, per-service policy, trusted-device shortcut — no third-party MFA cloud.
One flow engine decides every authentication outcome — who can reach what, after which factor, under which context.
Trust earned at login doesn't carry forever. Every session stays under evaluation, every step of the way.
Connect every identity source beyond SAML and OIDC to the same access and audit flow.
WAAP inspection, mTLS identity and data masking keep working even as traffic flows to backends over TLS.
Mask IP for log privacy, reconstruct the correct client IP across proxy chains.
Move beyond L3/L4 — carry HTTP context into your flow records.
Move TLS beyond file-based configuration — turn it into a per-service security profile, certificate lifecycle and post-quantum readiness layer.
Lift the client certificate out of connection control and turn it into an identity object that drives traffic decisions.
Every tenant in its own routing world — overlapping IPs, static + dynamic routing and gateway monitoring from one panel.
Mask sensitive data at platform level before it reaches the user or the logs.
Send every platform event to your SIEM in the format it expects — JSON, CEF or plainText.
One TR7. Many tenants. Resources, network and operations boundaries each kept separate.
Make every L7 request measurable, filterable and reportable.
Produce branded, scheduled and on-demand PDF/XLSX reports in a single reporting pipeline.
Turn raw WAAP logs into readable evidence reports for auditors, management and customers.
Bring your HIPAA scope to a TR7 demo. We will walk through TLS at the edge, WAAP in front of clinical applications, MFA for every account reaching ePHI, vTenant isolation between clinical and non-clinical workloads, PHI masking and the audit trail — exactly the artifacts an assessor or breach investigator asks for.