More Security for Patient Data: Pentest and Cloud Audit at medavis

Case Study – IT-Security

written by: usd AG, Germany

Compliance requirements are often the driving force behind the necessity of a pentest. However, each company and its IT infrastructure has to be looked at individually. Usually the initially requested pentest is not enough. For example, if applications run in the cloud, other attack vectors need to be considered as well. A good example is the cooperation with medavis GmbH.

The Karlsruhe-based provider of radiology workflow solutions processes highly sensitive patient data, such as diagnostic images and medical findings, and thus places the radiology workflow at the center of its thoughts and actions. Due to the very high protection requirements of the processed data, medavis ordered a check of the IT security level of the entire cloud infrastructure in addition to the pentest. The usd security experts analyzed the configuration of the AWS cloud services and the applications running on it.

usd Experts have developed a special testing procedure, which is based on the specifications of the Payment Card Industry Data Security Standards (PCI DSS), the recommendations of the German Federal Office for Information Security (BSI) and the Open Web Application Security Project (OWASP), among others. Furthermore, benchmarks of the Center for Internet Security (CIS) and best practices of the cloud service providers are taken into account. Combining all those requirements as the basis of the usd approach increases the security of the tested systems in the long term.

Tobias Troesch, Product Owner at medavis GmbH, and his colleagues take information security very seriously:

“As a manufacturer of radiology workflow solutions, we provide the information flow of sensitive data for medical diagnoses. The protection of patient data is hence a top priority for us. Only this way, we can guarantee our customers the best possible security level. usd AG has supported us in a highly professional and competent way from the beginning. This was already evident in the initial consultation: In close collaboration, we defined the risk classifications of the various functions and thus received an excellent offer adapted to our needs in order to have the most efficient examination carried out. Taking also the configuration of AWS cloud services into consideration was an excellent approach from the usd specialist sales department at this phase. Overall, we would like to thank usd AG for the always pleasant and goal-oriented cooperation and competent advice – even beyond the actual project.”


Tobias Neitzel, usd Managing Consultant IT Security, about the specifics of the environment they have tested:

“The pentest of a cloud infrastructure is different from the traditional on-premise infrastructure test. Cloud provider such as AWS offer many features and a high degree of flexibility. This has many advantages for cloud users, but also entails security-related risks that should not be underestimated. Cloud providers therefore generally follow a model of shared responsibility: For example, the responsibility for configuring the servers and access rights lies with the user.”

“Companies usually focus on testing their application. In doing so, they often disregard the configuration of the cloud services themselves. It is very important for us to address precisely these points of attack in the initial consultation with our customers. medavis GmbH took exactly the right steps to achieve a higher IT security level by conducting a technical security analysis in the form of pentests as well as a configuration audit. We are looking forward to a continued  partnership and cooperation.”, added Dr. Kai SchubertManaging Consultant der usd AG.

More News

medavis Joins Forces with InformMe

medavis Joins Forces with InformMe

medavis Joins Forces with InformMe Hand in Hand for a Digital Workflow in Radiology and BeyondKarlsruhe / Munich, March 25, 2024 – Karlsruhe-based medavis GmbH expands the Group through its acquisition of InformMe GmbH. Taking this step creates the opportunity for the...

read more
The medavis Group Expands its Management Team

The medavis Group Expands its Management Team

Press ReleaseThe medavis Group Expands its Management Team and Sets the Course for Further GrowthThe new and distinctively positioned group, consisting of medavis GmbH headquartered in Karlsruhe, Digithurst GmbH & Co. KG located in Büchenbach, and epiNET GmbH...

read more

Do you have further questions or would like to get a demo?

Do not hesitate to contact us. We look forward to providing you with the necessary advice or to arrange a demo appointment with you, in order to present your optimal workflow.

* Mandatory field: Please fill in all fields marked with *.

** Tracking consent: I agree that medavis GmbH can analyze my usage behavior in relation to the newsletter (e.g. which content is clicked on) in order to offer me newsletter content that is tailored to my interests. Further information can be found in our privacy statement. I can revoke this consent at any time with effect for the future by sending an e-mail to or via the link in every e-mail I receive.

Keep informed with our newsletter!