Security runs through
everything we do.
We've been building healthcare software since 2003 — exclusively. That means 23+ years of navigating HIPAA, state privacy laws, and the compliance requirements specific to each client's market, with a dedicated CISO on the program and a clean breach record throughout.
How we approach security
Four disciplines, running concurrently across every production application.
Each of these disciplines is active in parallel and depend on one another. A gap in any one of them creates exposure in all of them.
Hosting & infrastructure
HIPAA-compliant AWS infrastructure with PHI encryption at rest and in transit, private network architecture, and a BAA on every engagement.
Active cybersecurity
Automated penetration testing, static code analysis, web application firewall, and continuous threat intelligence running against every production application.
Authentication (MWE Auth)
HIPAA-compliant authentication platform supporting SSO, SAML, OAuth 2.0, and OpenID Connect — built in-house and maintained as a living product.
Maintenance & compliance upkeep
We hold the compliance posture for the life of the build — not just through launch. Regulations update. Dependencies age. We stay current so you don't have to.
Security leadership
Pablo Bullian
CISO — MWE since 2017
The person accountable
for your data.
Pablo has led security at MWE since 2017, first as Security & Infrastructure Manager, then as CISO. His work is exclusively focused on healthcare — HIPAA, U.S. patient data, and the PHI systems that require it.
He also directs the Cybersecurity Engineering program at one of Europe's leading engineering schools, where he designs curriculum and teaches web, systems, and cloud security, including classical and post-quantum cryptography.
How we apply compliance
A compliant server running a non-compliant workflow is still a liability.
We assess compliance at both levels — infrastructure and application — because most violations don't originate in the server room. They originate in the code.
HIPAA-compliant AWS architecture with encryption at rest and in transit, private network design, database environment isolation, continuous monitoring, and a Business Associate Agreement on every engagement — before a line of code is written.
Compliance is evaluated per feature and per workflow change. Our security program flags application-level concerns — not just infrastructure ones — at each stage of development and deployment.
Active cybersecurity
Tested continuously. Not just at launch.
Automated tooling and specialist review run against every production application on an ongoing basis — not scoped to a launch window.
Automated penetration testing
Dynamic testing of applications and APIs against modern attack techniques — integrated into the CI/CD pipeline so every release is tested before it reaches production.
Static application security testing
AI-powered source code analysis scanning for unsafe methods, outdated dependencies, and known vulnerability patterns before code ships.
Web application firewall
Real-time monitoring and filtering of HTTP traffic — guards against SQL injection, cross-site scripting, CSRF, and other application-layer attacks.
Threat intelligence & alerting
Our SOC monitors emerging vulnerabilities continuously. Organizations are alerted to threats relevant to their specific technology stack — not generic advisories.
Priority disaster recovery
Advanced Cybersecurity Package clients are prioritized in the recovery queue during regional outages, reducing downtime exposure during worst-case scenarios.
Targeted threat mitigation
Attack-specific mitigation, data integrity monitoring, and retrospective reporting — so you understand exactly what happened and how it was resolved.
Maintenance & compliance upkeep
A healthcare application that was compliant at launch can drift — and usually does.
Regulations update. Dependencies age. Vulnerabilities get disclosed. Ongoing maintenance is what keeps your security posture current over time.
Proactive
We monitor scalability issues and dependency risk across supported applications, flagging recommendations before problems surface — not after.
Corrective
Bugs on supported platforms are addressed as part of the ongoing maintenance relationship, not invoiced as separate line items.
Adaptive
When HIPAA, ADA, or CCPA guidance updates, we analyze your obligations and propose solutions — so you're not caught off-guard by regulatory shifts.
Dependencies & patches
Dependencies are updated as part of the maintenance cycle. Security patches and OS-level zero-day fixes are included.
Average client partnership
The people who maintain your application understand it at a level that's hard to replicate elsewhere. They know the architecture decisions, the edge cases, and the history behind every workflow.
Compliance coverage
We work to the regulations your organization is accountable to.
HIPAA and HITECH are the baseline for every engagement. Additional obligations — state privacy laws, international frameworks, product-type requirements — are advised on and built to as they apply.
United States & Americas
- HIPAA · HITECH
- CCPA / CPRA
- ADA / WCAG
- SOC 2
- NIST CSF 2.0
- 42 CFR Part 2
- PIPEDA
- LGPD (Brazil)
International
- GDPR
- PDPL (Saudi Arabia)
- APPI (Japan)
- Privacy Act (AU / NZ)
- PDPA (Singapore)
Related services
We host what we build. We can also host what we didn't.
Inherited applications that concern you
We assess, stabilize, and take long-term ownership of applications not originally built by MWE — whether AI-generated, externally developed, or inherited through acquisition. Start with a compliance posture assessment.
Authentication you don't have to own
HIPAA-compliant authentication platform providing user management, SSO, two-factor authentication, and access control — running in production and available to select external partners.
Tell us what
you're working on.
Most good projects start with a conversation. If you have materials — requirements, diagrams, vendor documents, notes — send them over. We'll review them before we talk.