Six frameworks. One evidence system.
Healthcare software companies don't get to choose which regulations govern their products, their data, or their hospital customers.
HIPAA Business Associate Liability
A breach of PHI in your healthcare software is a HIPAA violation — regardless of whether your product caused the breach directly.
Business Associates are legally liable for PHI breaches regardless of cause. OCR has fined healthcare software vendors whose systems were hacked through vulnerabilities that were known but not remediated — citing inadequate ongoing risk analysis under §164.308(a)(1). The average fine exceeds $1M per violation category per year.
EU CRA + EHDS Double Obligation
The EU Commission confirms an EHR system can simultaneously be an EU CRA Product with Digital Elements AND an EHDS-regulated health record system.
EU Commission FAQ Section 2.7 explicitly states that an EHR system placed on the EU market can be subject to both CRA cybersecurity requirements AND EHDS interoperability and logging requirements at the same time. Healthcare software companies with EU customers face both — from September 2026.
$10.22M average breach. 80%+ via third-party software. 1,174 ransomware attacks in 2025. September 2026 CRA deadline. Healthcare software governance is not optional.
Average healthcare data breach cost — highest of any industry for 13 consecutive years. Source: MedicalITG 2026.
Of successful healthcare data breaches involve third-party software vendors. Business associate breaches increased 337% since 2018. Source: HIPAA Journal 2026.
Of healthcare software codebases contain at least one high or critical open-source vulnerability. Source: OSSRA 2026.
HIPAA Breach Notification Rule deadline from breach discovery to OCR notification. A prevented breach prevents this clock from starting.
Black Duck BDSA advisories surface critical vulnerabilities on average 100 days ahead of NVD — for PHI-adjacent components where lead time prevents HIPAA exposure. Source: Black Duck BDSA product intelligence data.
Healthcare software companies answer to six frameworks — as Business Associates, product manufacturers, and healthcare data processors simultaneously.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| HIPAA Security Rule | Every healthcare software company that processes, stores, or transmits electronic Protected Health Information (ePHI) as a Business Associate of a HIPAA-covered entity — including EHR vendors, telehealth platforms, clinical decision support companies, healthcare analytics providers, and patient engagement software. | In force and actively enforced. OCR closed 11 hacking-related financial penalty investigations in 2026. Breach notification required within 60 days of discovery. Ongoing risk analysis required — not periodic. | §164.308(a)(1) ongoing risk analysis; §164.312 technical safeguards; §164.308(a)(6) security incident procedures; §164.404 breach notification within 60 days; workforce training; audit controls; access management. | Black Duck identifies PHI-adjacent open-source vulnerabilities with BDSA intelligence on average 100 days ahead of NVD. X-DLM™ routes findings into Polarion risk management workflows with PHI impact assessment, ongoing risk analysis evidence, and documented remediation or risk acceptance decisions. |
| EU CRA (Healthcare Software Products) | Healthcare software companies placing EHR systems, telehealth applications, clinical decision support platforms, patient portal software, and healthcare data integration tools on the EU market as Products with Digital Elements. | Vulnerability reporting: September 11, 2026 — 24h Early Warning, 72h full notification, 14-day Final Report. Full enforcement including CE marking: December 11, 2027. EU Commission FAQ confirms EHR systems can simultaneously be subject to both CRA and EHDS obligations. | Machine-readable SBOM (SPDX or CycloneDX), 24h/72h/14-day exploited vulnerability reporting to ENISA/CSIRTs, coordinated vulnerability disclosure policy, secure-by-design evidence, CE marking, 10-year documentation retention. | Black Duck generates SBOMs from healthcare software source, binaries, and containers. X-DLM™ routes vulnerability findings into Polarion with CRA cascade automation, linked to HIPAA Security Rule risk management workflows where PHI is involved. |
| GDPR + EHDS (EU Health Data) | Healthcare software companies processing personal health data for EU patients — EHR systems, telehealth platforms, health analytics applications, and patient engagement software. | GDPR: active and enforced. EHDS (EU 2025/327): phased implementation ongoing — adds interoperability, logging, and access requirements for EHR systems. Both apply simultaneously to healthcare software in EU. | GDPR Article 9 special category data processing requirements, lawful basis, Data Protection Impact Assessment for high-risk processing, Article 25 privacy-by-design evidence, data subject rights. EHDS adds interoperability, audit logging, patient data access controls. | Polarion links GDPR-relevant design decisions and privacy engineering controls to requirements traceability. X-DLM™ maintains Article 25 privacy-by-design evidence and DPIA documentation — available for healthcare data protection authority inspection. |
| NIS2 (Hospital Customer Supply Chain) | Healthcare software vendors whose EHR, telehealth, and clinical platforms are used by hospitals and healthcare operators classified as NIS2 Essential Entities — the vendors become part of the Essential Entity's supply chain security obligation. | In force since October 2024. Hospital and healthcare operator customers are NIS2 Essential Entities — required to assess and document the security of their software supply chain. This creates a de facto compliance requirement for healthcare software vendors. | SBOM provision, vulnerability governance evidence, security documentation on request, cybersecurity posture assessment support for NIS2-regulated hospital customers. | Black Duck generates SBOM data for hospital NIS2 supply chain security assessments. X-DLM™ maintains Polarion governance records that healthcare software vendors provide to NIS2-regulated hospital customers for their supervisory authority documentation. |
| NIST SSDF (US Federal Healthcare IT) | Healthcare software companies selling EHR, telehealth, or clinical applications to US federal healthcare buyers — VA healthcare system, CMS, DoD Military Health System, Indian Health Service — or seeking FedRAMP authorization. | Active federal procurement requirement. FedRAMP increasingly requires SSDF evidence. VA and DoD healthcare IT procurement requires secure development lifecycle documentation. | NIST SSDF four practice families: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), Respond to Vulnerabilities (RV) — with documented evidence of implementation across the software development lifecycle. | Polarion provides the workflow backbone for SSDF practice family evidence. Black Duck supplies component intelligence for RV vulnerability response practices. X-DLM™ maintains the SSDF evidence package for VA, CMS, and FedRAMP assessors. |
| SOC 2 Type II | Healthcare software SaaS companies undergoing annual SOC 2 Type II audits as an enterprise hospital and health system procurement prerequisite. | Annual audit cycle — increasingly a baseline requirement for hospital and health system EHR, telehealth, and clinical software vendor qualification. | Security, availability, processing integrity, confidentiality, and privacy trust service criteria. Evidence of operating effectiveness over the audit period including change management, vulnerability management, and access control. | X-DLM™ keeps vulnerability response evidence, change control records, SBOM documentation, and HIPAA risk management records continuously available in Polarion — reducing SOC 2 audit preparation time by 60–80% and providing clean evidence for auditors. |
From Black Duck PHI-adjacent vulnerability scan to HIPAA, EU CRA, and GDPR evidence trail.
- 01
Detect
Black Duck scans EHR software, telehealth applications, clinical decision support systems, HL7 FHIR stacks, patient portal code, and healthcare API middleware — producing SBOM data, vulnerability intelligence with PHI-adjacent classification, malware signals, and license risk specific to healthcare software.
- 02
Route
X-DLM™ synchronizes findings into Siemens Polarion as governed work items — with HIPAA Security Rule risk management classification, EU CRA 24h reporting cascade triggers, GDPR DPIA relevance flags, SOC 2 change control evidence, and NIS2 supply chain documentation.
- 03
Govern
Findings are linked to HIPAA risk analysis records, PHI impact assessments, remediation decisions, Business Associate security posture documentation, EU CRA SBOM versions, and GDPR technical safeguards — the complete healthcare software compliance evidence chain, built continuously.
- 04
Prove
LiveDocs and Polarion workflow history produce the HIPAA Security Rule risk analysis evidence, EU CRA SBOM and vulnerability notification package, GDPR Article 25 documentation, NIS2 supply chain security records, and SOC 2 audit trail — on demand, for OCR, EU regulators, hospital procurement teams, or covered entity security assessments.
One evidence system for every healthcare software obligation.
Book a walkthrough of how X-DLM™ operationalizes HIPAA Security Rule risk analysis, EU CRA SBOM and vulnerability reporting, GDPR health data governance, NIS2 supply chain security, NIST SSDF evidence, and SOC 2 audit trails for healthcare software companies — on Siemens Polarion and Black Duck.