Question 1

Is OsirisCare ready for the 2026 HIPAA Security Rule?

Accepted Answer

Yes. The platform was designed around the technical requirements in the HHS Office for Civil Rights Notice of Proposed Rulemaking (December 2024). Every organization on OsirisCare today is already monitoring continuous MFA enforcement, encryption at rest and in transit, documented network segmentation, asset inventory, vulnerability scanning, patching timelines, incident response with business associate coordination, risk analysis, and contingency plan testing — the nine core requirements in the 2026 NPRM.

Question 2

Does OsirisCare work for multi-site organizations and DSOs or only single clinics?

Accepted Answer

Both. The platform was built with multi-site in mind from day one. Backend-authoritative mesh distributes monitoring work across multiple appliances per site, cross-subnet device discovery handles multi-VLAN healthcare LANs, and fleet-wide dashboards roll up evidence across every location. A single solo clinic runs one appliance; a 20-location DSO runs 20-plus with deterministic failover via hash-ring target assignment.

Question 3

How does OsirisCare prove compliance to an auditor?

Accepted Answer

Every compliance bundle is Ed25519-signed with per-appliance keys, hash-chained, and OpenTimestamps-anchored to the Bitcoin blockchain. Auditors download a ZIP verifier kit (README, verify.sh, chain.json, bundles, public keys, OpenTimestamps proofs) and confirm the full evidence chain independently on their own laptop. The verifier runs offline; no call-home to OsirisCare is required. If OsirisCare disappears tomorrow, every evidence bundle remains verifiable forever.

Question 4

How much does OsirisCare cost compared to a traditional MSP?

Accepted Answer

OsirisCare starts at $499/month per site. Traditional MSPs in the healthcare vertical typically charge $2,000–$4,000 per month for comparable HIPAA evidence, monitoring, and attestation coverage — a 75% cost reduction. A 90-day pilot is available at $299 applied toward the first month on a paid tier.

Question 5

What is drift detection?

Accepted Answer

Drift detection is continuous monitoring of system configuration against a HIPAA-aligned baseline — patching status, firewall posture, audit logging, antivirus, backup cadence, and encryption. When a system drifts out of compliance, OsirisCare captures signed evidence and either self-heals via a pre-approved runbook or escalates to a named operator.

Question 6

How does OsirisCare compare to Vanta, Drata, or Delve?

Accepted Answer

Vanta and Drata are horizontal GRC platforms optimized for SOC 2 across many industries. OsirisCare is purpose-built for healthcare compliance with on-site appliance monitoring, PHI scrubbing at egress, and cryptographically verifiable evidence the auditor confirms independently. Against Delve specifically, OsirisCare's verifiable evidence chain is designed so the auditor never has to trust the platform — a key distinction for organizations that lived through the April 2026 compliance-automation trust event.

Question 7

Which compliance frameworks does OsirisCare support?

Accepted Answer

Nine frameworks with single-evidence-bundle crosswalk: HIPAA, SOC 2, PCI DSS, NIST CSF, CIS Controls, SOX, GDPR, CMMC, and ISO 27001. Multi-framework customers (common in DSOs and imaging centers) run one control set mapped to multiple frameworks rather than parallel audit programs.

Question 8

What does the on-site appliance do that cloud-only compliance tools cannot?

Accepted Answer

The appliance performs LAN-level device discovery across subnets and VLANs, monitors endpoints that are not accessible from the cloud, scrubs PHI at the network egress point so it never leaves the practice, and produces signed evidence locally — meaning compliance monitoring continues even when outbound internet is intermittent. Cloud-only tools have no way to see the clinical workstations, imaging equipment, or network devices that define the practice's actual compliance posture.

Question 9

How fast is deployment?

Accepted Answer

A single-site pilot is typically online within 30 minutes of the appliance arriving on the LAN. Multi-site rollouts scale linearly — plug the appliance in, apply the USB install media, and the box auto-provisions on its first checkin. A 20-location DSO is typically deployed fleet-wide within 2–4 weeks depending on shipping.

Question 10

What happens if I cancel my subscription?

Accepted Answer

Every evidence bundle produced while you were a customer remains cryptographically verifiable forever. You keep the auditor kit and the public keys. Verification of historical evidence does not require an active OsirisCare account, any OsirisCare API call, or OsirisCare infrastructure of any kind.

Question 11

Is OsirisCare suitable for a partner MSP channel?

Accepted Answer

Yes. Flat 20% partner margin across all tiers. Multi-tenant partner portal with per-client row-level-security isolation at the database layer. White-label client portal available on the Professional tier and above. Partner-owned client attribution is tracked at the database level so direct-sales motion does not compete with partner-sourced clients.

Question 12

What does PHI scrubbing at the appliance mean?

Accepted Answer

All outbound data from the appliance passes through a PHI scrubbing module that strips patient identifiers, medical record numbers, and HIPAA-sensitive strings before any data leaves the practice LAN. Central Command operates on PHI-free evidence bundles. This is enforced in code, tested in CI, and verified at 14 distinct pattern classes.

2026 NPRM requirement	OsirisCare monitors with
MFA enforcement on ePHI access	mfa_enabled check, per host, per cycle, with signed evidence
Encryption at rest and in transit	bitlocker_enabled, filevault_enabled, luks_enabled, tls_version, smb_signing
Documented network segmentation	Cross-subnet device discovery with signed segmentation reports
Asset inventory with annual review	Continuous discovery across every site; timestamped signed exports
Vulnerability scanning every 6 months (NEW)	CVE Watch daily across every discovered device, signed per cycle
Patching with defined timelines	patching check plus time-to-patch metric per host per CVE
Incident response with BA coordination	Append-only signed remediation chain with actor and reason
Written, comprehensive risk analysis	Live crosswalk across 9 frameworks tied to real telemetry
Tested contingency plan	Backup validation and mesh failover exercises produce signed evidence

Continuous HIPAA compliance for healthcare organizations — from single clinics through multi-site provider networks and DSOs.

Built for the 2026 HIPAA Security Rule NPRM

One platform, every scale

Single clinic

Multi-location group

DSO and health-system IT

Partner MSPs and compliance consultants

Why cryptographic evidence matters

Three-tier self-healing

What your auditor actually downloads

Resources

Get started