Health Care
Clinical tablets, EMR-on-the-go, telehealth devices, traveling-nurse phones. The phone is a workstation and a stethoscope and an audit liability all in one. HardenedOS gives you the policy bag, the attestation, and the audit-grade event stream that lets your CISO sign the BAA without the bolt-on MDM tax.
The threat surface
Most HIPAA violations on mobile are mundane — not a state actor, not a targeted attack. A phone left at a coffee shop. A photo with PHI in the EXIF. A consumer app that was supposed to be "for clinical use" sharing data with three SDK partners. HardenedOS targets these specifically:
The free clinical-reference app a nurse installed pulls in three location-collecting SDKs. Now patient location ranges (where the visit happened), medication-dose timing, and clinician identity sit in a third-party data broker. Per-app network gating + sensor scopes shut these down without breaking the reference app.
Devices walk off in waiting rooms, ED bays, parking lots. Duress PIN wipes irrevocably. Auto-reboot on idle clears decryption keys. Hardware attestation means a swapped device can't impersonate the original on dispatch — your IT sees it red on the dashboard.
Mobile malware targeting clinical workflows is rare but real (BlackHat 2023, multiple proof-of-concepts). The required-app catalog locks the install set; sideloading is off; hardware attestation flags any tampered firmware. A compromised handset stops being a pivot point on next manifest sync.
Clinician unions watch for invasive monitoring. The surveillance ceiling — kernel-enforced, no tier can override — neutralizes the "we're recording your microphone" allegation. Auditable.
Personal devices being used "just for one chart" because the issued tablet is in a charger somewhere. HardenedOS at Basic tier gives the user a clean phone they actually want to use; same fleet, same management; different policy bag.
The video-call app needs camera + mic. But it shouldn't have access to the contact list, the file system, or the SMS log. Per-app permission scopes give it exactly what it needs — nothing more.
How HardenedOS responds
Most health systems run Corporate tier on the clinician phone, with this policy bag adjusted via /policies:
Your EMR client (Epic Haiku, Cerner PowerChart Touch, athenaOne Mobile, etc.), your secure messenger (TigerConnect / Halo / Voalte), your reference app (UpToDate / Lexicomp / Epocrates). Each pinned to its developer signing-cert SHA-256 — DPC verifies on install + post-install. Sideloading off; no consumer app store.
The EMR client gets network + storage scope to its own folder. The video-call app gets camera + mic + network. The reference app gets network. Everything else: nothing. The OEM keyboard with the cloud-sync feature can't ship anything off the device.
Wound-photo and imaging-attachment apps see one folder: /Documents/Clinical. They can't read other apps' caches, personal media, or the SMS log. EXIF stripped on save by the OS.
Every device event — activation, tier change, install, wipe-requested, heartbeat-attested — POSTed to your endpoint with HMAC-SHA256 signing. Drops straight into Splunk / Sentinel / Sumo. Audit trail your compliance team can produce on demand.
Patient privacy + clinician privacy + collective-bargaining angles all solved at the OS level. No tier — including Government — can silently capture audio, screen-record, log keystrokes, or hide the management UI from the user.
Who deploys this
1,000–50,000 clinician phones across an integrated delivery network. Procurement runs through a clinical-mobility integrator who white-labels HardenedOS to their support brand. CIO + CISO own the management panel.
Mid-size, mobile-first care models. The phone IS the workstation. Often a mixed Corporate + Basic deployment: clinicians on Corporate, traveling nurses on Basic with a required app catalog.
Smaller practices, harder ROI on traditional MDM stacks. A single white-labeled vendor handling devices + management + branding wins on operational simplicity.
We'll send a small batch under your branding. One nursing unit, one rotation. Your IT keeps the management panel + webhook stream into your SIEM. We'll co-author the BAA addendum if it helps.