Skip to main content
Vantyris

For UK clinics & private practices

Patient data on your booking system. Who can see it from outside?

Vantyris scans your clinic's website and booking-system domain the way an attacker would — email impersonation, exposed admin pages, missing privacy notice, pre-consent trackers — then writes a plain-English report you can forward to your web host or your insurer. From £10. No contracts. UK-based, UK-GDPR aligned.

The reality

What we hear from clinic owners

01

Patient data on the booking system, and no idea who can see it from outside.

02

An ICO information notice would feel impossible to respond to without help.

03

Your insurer asked about cyber security at PI renewal and you don't have a good answer.

04

Your website builder set up Google Analytics three years ago. You have no idea whether it's loading before patients accept the cookie banner.

What a typical clinic scan surfaces

One finding, shown in plain English.

Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.

high

Anyone can send email pretending to be from your clinic

Your booking-system domain is missing the DMARC record that tells receiving servers to reject impersonated email. Right now a scammer can send a fake appointment-reminder from your clinic's address to a patient's inbox and the inbox will treat it as legitimate. This is the most common phishing path against clinics — and the easiest one to fix.

How to fix it

Add a single DNS TXT record at _dmarc.your-clinic-domain. The exact text to paste is in the report's Exact Fix section, with the Cloudflare / GoDaddy / 123-Reg panel paths. About 30 minutes of work, including the wait for DNS propagation. The Vantyris report ships a copy-paste version of the record so your web host doesn't have to interpret anything.

Why clinics buy Vantyris

Plain-English first, technical detail second

Every finding leads with what it means for the clinic (e.g., 'a scammer can send fake appointment reminders that look real to your patients'). The technical evidence — the exact DNS record, the HTTP header, the failing TLS handshake — sits one click below for whoever runs your IT. Nothing your reception team can't make sense of.

A one-page Executive Summary for the partner

Every verified report opens with a one-page executive summary aimed at non-technical readers: headline grade, top three biggest wins, projected score after fixes, plus a 'Business impact in plain English' table that maps each finding to its commercial risk (regulatory complaint, brute-force exposure, deliverability drop). The partner reads page two; the IT contractor reads page seven onward.

Continuous monitoring with alerts only on what matters

Enrol the clinic's website in weekly re-scans. Vantyris emails you only on three things: a new high or critical finding, a security-score drop of ten points or more, or a TLS certificate inside fourteen days of expiry. No daily noise, no false-alarm fatigue, no '8am Monday inbox is full of scanner reports' problem.

Privacy posture an ICO information notice would ask about

Vantyris's Privacy category checks the lightweight surface a regulator would notice first — pre-consent trackers loading before the visitor clicks Accept, a cookie banner missing the EDPB-required visible Reject button, Google Consent Mode v2 absent, no privacy policy link in the footer. These are the patterns the ICO's 2023 sweep targeted.

Nine-axis coverage with a Fix Roadmap, not a wall of findings

The report scores your clinic site on nine independent axes. Every actionable issue lands in a Today / This Week / Later bucket, grouped within by who fixes it (web host / developer / DNS admin / domain registrar). One list per person — no scrolling past anyone else's work. Items that need confirmation rather than action (a shared CDN edge listed on Spamhaus, an inventory item expected for the platform) sit in their own Acknowledged section so the report doesn't read as an emergency over informational notes.

A trust page for patients and inspectors

Turn on a public trust page at /trust/<your-clinic-slug>. It shows your current grade, the nine-axis category-coverage grid, and the controls verified by external scanning. Put the URL on your privacy notice, your PI renewal form, or your CQC submission. The visitor checks for themselves — you don't have to email a stale PDF every twelve months.

Forwardable PDF in four layouts

The same scan downloads as a full editorial report, a single-page executive summary, a single-issue work order to forward to your web host, or a compliance pack sized for an auditor / regulator. Same paper-cream layout, suitable for the regulator's file.

We have no clinic testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.

Long read

12-minute read

The 12-item cyber hygiene checklist for UK clinics, in priority order.

Plain-English playbook for clinics, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.

Read the full playbook →

FAQ for clinics

Common questions from clinic owners

Does this make my clinic UK-GDPR or Cyber Essentials compliant?

No, Vantyris does not certify you compliant with any formal framework. Every verified report includes a Cyber Essentials A1-A5 alignment section showing which NCSC controls each finding informs, which is a useful starting point for any ICO-facing or insurance-facing conversation. The certification itself requires an assessor; Vantyris shows you what an external scanner can speak to and what needs internal evidence.

Will the scan slow my booking system down?

No. The scan reads what's already publicly visible about your site — DNS records, response headers, certificates, a small set of common path probes with a 4-second timeout. It doesn't try to log in, doesn't probe for hidden services, doesn't run brute-force, doesn't fuzz. Real-world clinics never see performance impact.

Can I show this to my professional indemnity insurer?

Yes. Three options: email them the PDF (compliance pack layout is sized for this), send them a time-limited share link they can open in a browser (watermarked with their name if you like), or hand them the URL of your public trust page. Many PI policies now ask for evidence of an external scan in the past 12 months; any of these counts.

What about the ICO's cookie sweep — does Vantyris check for that?

Yes. The Privacy category checks pre-consent tracker loading, cookie-banner reject-parity (the EDPB requirement that rejecting is as easy as accepting), Google Consent Mode v2 presence when Google trackers are detected, and the visible privacy-policy link. These are the patterns the ICO's 2023 sweep flagged on the top 100 UK sites and is following up on for SMEs by complaint.

What if a regulator asks about a specific control?

Open the verified report, scroll to the Cyber Essentials alignment section, find the relevant control row. It lists every finding that touches that control with its severity, and tells you whether the area is covered, has gaps, or is one that external scanning cannot speak to (those need internal evidence like endpoint posture or staff training).

What if I don't have a 'developer'?

Most fixes are at your web host's panel. The report names the action plainly enough to forward to your host's support team — and ships an exact copy-paste snippet for the common fixes (DMARC, HSTS, blocking /readme.html, locking down WordPress REST API users). You can also assign a finding to your host's support email directly from the report; Vantyris keeps the audit trail of when it went out and who responded.

More questions? Full FAQ.

Ready when you are.