Work / Healthcare
CASE 003 / HEALTHCARE / SECURITY

Security turnaround for a production healthcare SaaS

A practice-management platform for clinics: patient and client records, intake forms, clinical notes, and document generation, tied into Google Forms, Sheets, and Drive. It was already in daily production use, with real security gaps underneath: cross-tenant access, an SQL-injection vector, a brute-forceable login. I took it to hardened production with zero downtime, and built an automated bot that regression-verifies every change since.

Dstarting security grade, now hardened
0downtime during the turnaround
10automated checks on every change
$0idle cost of the verification bot
RoleFull Stack Engineer
TimelineOngoing engagement
IndustryHealthcare
TypeSecurity + platform

The challenge

The app was already in production: patient records, intake forms, clinical notes, real clinics depending on it. That is the worst place to find security problems, and there were several. Users could reach other tenants' records through predictable IDs, a sortable-column parameter was an SQL-injection vector, login had no throttling and tokens never expired, and a bug in the encrypted-PII search meant a core feature silently returned wrong results. Every fix had to land on live data, with zero downtime, in a system where a bad migration touches patient information.

The approach

Harden every layer of the existing stack rather than rewrite it: close the holes in the API, encrypt and index the data properly, keep the integrations, and put an automated verifier in front of production so nothing regresses. Ship each fix as a zero-downtime migration against live data.

SYSTEM ARCHITECTURE// hardened healthcare saas
Client
Vue 3 SPApractice management UI
API
Laravel APItenant scoping, throttling, token expiry
Data
MySQLAES-256 encrypted PII, hash-search
Integrations
Google Formsintake
Sheetsexports
Drivedocuments
Verification
Cloud Run browser botself-destructing, 10 checks per change

What I built

Results

Dto hardened production
0downtime, live PII throughout
100%of changes regression-verified
10checks in the verification suite

The app went from a working product with serious holes to a hardened one with a safety net: tenant isolation enforced in the queries, encrypted PII that is still searchable, and a browser bot that proves every change before it counts as done. All of it landed without taking the clinics offline once.

Want a system like this, built to last?

Book a free call. You will leave with a clear plan for your own AI automation, whether or not we work together.

Book a free call