Client Login

Diagnostic.ly — A Five-Year Partnership in Security, Trust, and Growth

A Partnership Built Over Five Years

Diagnostic.ly is a forward-thinking health technology company whose platform manages sensitive patient and diagnostic data at scale. As the healthcare sector has grown increasingly targeted by cybercriminals — and as enterprise clients have raised the bar on security expectations — Diagnostic.ly has had to evolve its security posture in lockstep with its business ambitions. The company is led by David Shor, Chairman and CEO, whose hands-on involvement in security decisions has been a hallmark of the relationship from day one. Over five years, a growing cast of stakeholders from technical, operational, and executive functions have been brought into the work — a sign not just of organizational growth, but of how deeply security has become embedded in the company's culture.

Diagnostic.ly — A Five-Year Partnership in Security, Trust, and Growth

When Diagnostic.ly first engaged with us, the company faced a set of challenges common to fast-growing health tech businesses: ambitious growth targets, increasingly sophisticated clients with rigorous security expectations, and no dedicated security leadership to navigate it all.

Specifically, the team was grappling with:

  • No dedicated CISO or in-house security leadership function
  • Growing complexity of healthcare data compliance — HIPAA, SOC 2, and beyond
  • An expanding attack surface as the platform scaled into new markets
  • Enterprise clients demanding evidence of mature, auditable security practices
  • Limited internal bandwidth to design and implement a holistic security program

HOW WE HELPED

Our engagement with Diagnostic.ly has evolved over five years to meet the company exactly where it is. What started as a foundational security review has grown into a comprehensive, multi-discipline program spanning virtual CISO leadership, privacy compliance, technical security controls, and ongoing strategic advisory. Below is a snapshot of the work we have delivered together.

Virtual CISO (vCISO)

Ongoing executive-level security leadership for David Shor and the leadership team — providing strategic direction, risk oversight, and a trusted advisor in the room for every major decision.

HIPAA Compliance & Incident Response

Guided Diagnostic.ly through HIPAA control implementation and supported the team through a real-world incident — a bug-triggered notification — ensuring proper documentation, containment, and reporting.

GDPR Data Protection Impact Assessment

Delivered a full DPIA under Article 35 GDPR — covering data mapping, risk analysis, stakeholder consultation, and a public-facing summary — completed and marked closed on schedule.

PIPEDA Privacy Compliance Program

Led a six-week assessment of Diagnostic.ly's alignment with Canada's PIPEDA — producing a full compliance mapping, risk register, gap analysis, and remediation roadmap for leadership.

Penetration Testing & Vulnerability Management

Coordinating a Laravel application pentest and ongoing vulnerability management — including CIS control implementation across audit logging, malware defense, network architecture, and application security.

Security Awareness & Phishing Simulations

Built and launched a company-wide security awareness program, including role-specific training and phishing simulations using GoFish — embedding a security-first culture across the organization.

Disaster Recovery Planning

Supporting the design and implementation of a formal DR plan — defining architecture, ownership, and implementation responsibilities in partnership with Diagnostic.ly's internal engineering team.

SIEM & Security Tooling Advisory

Evaluated Rapid7 InsightIDR for AWS log monitoring and SIEM implementation — providing cost-benefit analysis and strategic guidance on security tooling investment as the company scales.

THE RESULTS

The impact of five years of sustained, strategic security partnership is tangible across every layer of Diagnostic.ly's business.

Privacy & Compliance — Multi-Jurisdiction, Fully Addressed

  • GDPR DPIA completed and closed — full Article 35 documentation, risk register, and public summary delivered
  • PIPEDA compliance program built from scratch — covering all 10 Fair Information Principles
  • HIPAA controls implemented and a real-world incident navigated and documented correctly
  • Mexican privacy legislation reviewed and incorporated into the compliance program
  • Multi-jurisdiction privacy posture that supports Diagnostic.ly's growing global footprint

Technical Security — Controls That Actually Work

  • CIS security controls implemented across audit logging, malware defense, and network architecture
  • SentinelOne endpoint protection deployed and centrally managed across the organization
  • DMARC, SPF, and DKIM implemented — protecting Diagnostic.ly's email domain from spoofing
  • Apple device fleet enrolled in device management — covering both executive and operational machines
  • Laravel application pentest underway — proactively identifying vulnerabilities before production

Culture & Awareness — Security From the Inside Out

  • Role-specific security awareness training completed across the organization
  • Phishing simulation program launched — giving the team realistic, low-stakes practice against real attack techniques
  • Security embedded into development practices through secure coding standards and application security training
  • A security-aware culture that now operates with independence and maturity

Strategic Leadership — From Reactive to Ahead of the Curve

  • Ongoing vCISO advisory giving David Shor and the executive team a trusted security voice in every major decision
  • Disaster recovery plan designed and in implementation — ensuring business continuity under adverse conditions
  • SIEM evaluation completed — cost-benefit analysis informing a disciplined, staged approach to tooling investment
  • Security repositioned from cost center to competitive differentiator — enabling enterprise client conversations

WHY THIS PARTNERSHIP WORKS

The Diagnostic.ly relationship works because it was never transactional. From the very first engagement, the goal was not to deliver a report and move on — it was to help a company understand the truth about its risk, and then do something about it. That honesty created the foundation for everything that followed.

David Shor's leadership style — direct, engaged, and unafraid of hard conversations — has made him an ideal partner. He asks the right questions, holds his team accountable, and has consistently shown the willingness to invest in security as a genuine business priority, not a checkbox.

On our side, the consistency of engagement, the depth of expertise, and the willingness to grow with the client rather than simply renew contracts has kept the relationship strong. Five years in, we know Diagnostic.ly's business. We know their risks. We know their ambitions. That institutional knowledge is irreplaceable — and it is the most powerful thing we bring to the table.

LOOKING AHEAD

As Diagnostic.ly continues to scale in 2026 and beyond, the security program we have built together will scale with it. The frameworks are in place. The culture is embedded. The leadership is aligned. What comes next is building on a foundation that is, for the first time in the company's history, genuinely solid.

We are proud of what this partnership has produced — and we are even more excited about what it will produce next.

Featured IN
Builtin Premier Provider
Gartner Peer Insights
Google Profile 5 Stars
AWS Marketplace Top Pen Testing
G2 Top 10 Cybersecurity Company
Clutch #1 Cybersecurity Featured Provider in North America
Cybersecurity Tech Accord Signatory
Crunchbase Ranked
Contact Us — Available 24x7
contact@frameworksecurity.com+1.800.947.2937
About
LeadershipPartnersCareersContact Us
Resources
BlogCase StudiesEvents
.
.
Privacy Policy

All rights reserved.