Industry · Healthcare

Zero PHI Touchpoint. Full Audit Trail.

Workforce phishing training that proves your security-awareness program works, without adding one more system that has to touch a medical record to do it.

The constraint healthcare security teams actually have

HIPAA's Security Rule expects documented workforce security-awareness training (45 CFR §164.308(a)(5)) — but every additional vendor system you connect to run that training is one more system your privacy office has to review for PHI exposure. The easiest way to pass that review is to never be in scope for it in the first place.

Employee, not patient, data model

PHI never enters the platform

PhishArmory's data model is employee directory information — name, work email, role — the same fields any training LMS already holds. There is no patient record, EHR integration, or clinical data path anywhere in this system, by construction, not by access control alone.

campaign.user_activity_viewed

Reads are logged, not just writes

Per-employee results are visible only to Operator/Admin roles — and every time someone with access opens that detail view, the view itself is logged with user agent and IP. Exactly the kind of access-log evidence a HITRUST assessor or privacy officer asks for.

crypto_vault.py · operators.mfa_secret_ciphertext

Administrative & Cryptographic Hardening

The admin console behind this employee-only data model is itself hardened: every operator account requires TOTP multi-factor authentication to sign in, and every stored credential — including those MFA secrets themselves — is protected under host-isolated envelope encryption, a per-secret data key wrapped by a master key that never leaves this host's environment. Baseline platform protections, not a per-engagement configuration.

What this maps to on your compliance calendar

Architectural controls, not certifications — this is the evidence our platform contributes to a program you already run.

FrameworkWhat we contribute
HIPAA Security Rule
§164.308(a)(5)
A timestamped record of every training campaign, per-employee result, and remediation action — the security-awareness-training evidence the administrative safeguards standard expects your program to produce.
HITRUST CSF Role-gated access to sensitive results, with every read logged, maps directly to the access-control and audit-logging control references HITRUST assessors check against.
SOC 2 Type II (CC7.2) The same append-only, tamper-resistant action log doubles as the system-monitoring evidence CC7.2 audits request, if your organization is also pursuing SOC 2.
PhishArmory is not a HIPAA-covered-entity certification and doesn't replace your privacy program's own risk analysis. This describes the architectural controls we contribute as evidence within that program.