Healthcare organizations experience more data breaches per year than any other industry. The average cost of a healthcare data breach reached $9.77 million in 2024, and the reputational and operational damage frequently exceeds the financial cost. Most breaches are not sophisticated nation-state attacks. They are predictable, preventable failures in basic security controls. This checklist covers the 15 controls that would prevent the majority of them.
Control 1: Multi-Factor Authentication on All Remote Access
Single-factor authentication via username and password is insufficient for any system containing PHI or clinical operations technology. Compromised credentials are the leading initial access vector in healthcare breaches. MFA on all remote access, VPN connections, and cloud console access eliminates this attack vector for the vast majority of credential-based intrusions.
Implement: Require MFA for all accounts with remote access. Use authenticator apps or hardware tokens rather than SMS-based MFA, which is susceptible to SIM swapping. Disable the ability to bypass MFA for any account with PHI access.
Control 2: Endpoint Detection and Response (EDR) on All Devices
Traditional antivirus is signature-based and does not detect modern ransomware and fileless malware until after execution. EDR tools monitor endpoint behavior in real time and can detect and isolate threats before they propagate across the network. Healthcare organizations that deploy EDR across all endpoints reduce dwell time (the period between initial breach and detection) from weeks to hours.
Implement: Deploy EDR on all workstations, laptops, and servers. Ensure 24/7 monitoring with an alerting policy that notifies IT staff of high-severity detections immediately, not on a daily digest schedule.
Control 3: Network Segmentation
Clinical networks, administrative networks, and IoT medical devices should be on separate network segments with controlled communication between them. When ransomware enters through an administrative workstation, network segmentation prevents it from reaching clinical systems and EHR databases. When a connected medical device is compromised, segmentation prevents lateral movement to other systems.
Implement: Separate VLANs for clinical workstations, administrative workstations, medical devices, and servers. Firewall rules that explicitly permit only necessary cross-segment communication. A guest WiFi network that is completely isolated from clinical and administrative networks.
Control 4: Privileged Access Management
Administrative accounts with broad system access should be tightly controlled and monitored. Compromise of an administrative credential gives attackers access to all systems that account can reach. Just-in-time privileged access, where admin rights are granted only for the duration of a specific task, significantly limits the damage from compromised admin credentials.
Implement: Separate privileged accounts from standard user accounts. Require approval workflows for elevation to administrative access. Log all privileged access activity. Review privileged access quarterly and remove it when no longer needed.
Control 5: Email Security
Phishing remains the most common initial access vector in healthcare breaches. Email security controls that reduce the volume of malicious email reaching staff inboxes reduce the risk that one staff member makes a mistake that affects the entire organization.
Implement: Advanced email filtering with sandbox analysis for attachments and URL rewriting with real-time scanning for links. DMARC, DKIM, and SPF configured to prevent email spoofing. Regular phishing simulation training to build staff awareness. Procedures for staff to report suspicious emails without fear of disciplinary action for clicking a simulation.
Control 6: Patch Management
Unpatched vulnerabilities in operating systems, applications, and network devices are a reliable attack surface. The healthcare industry's complexity and uptime requirements make patching difficult, but a documented, risk-based patching policy is a HIPAA requirement and a fundamental security control.
Implement: Automated patch management for workstations and servers. Defined SLAs: critical vulnerabilities patched within 30 days, high within 90 days. A separate process for medical devices where standard patch management cannot be applied (manufacturer approval required, testing in isolated environment). An inventory of all unpatched systems with documented risk acceptance.
Control 7: Backup and Verified Recovery
The only effective response to a ransomware encryption event is restoration from clean backup. Many healthcare organizations have backup infrastructure but have never verified that their backups can actually be restored in a reasonable time. Untested backups are not backups.
Implement: Automated daily backups of all critical systems. Backups stored in a separate account or location that production administrative accounts cannot access (prevents ransomware from encrypting backups). Quarterly restore tests with documented results. RTO and RPO targets defined and tested. An offline or immutable backup copy for critical systems.
Control 8: Asset Inventory
You cannot protect systems you do not know exist. Shadow IT (systems deployed without IT knowledge), forgotten servers, and unmanaged devices are common breach entry points. A complete and current asset inventory is the foundation for every other security control.
Implement: Automated asset discovery scanning to identify all devices on your network, including IoT and medical devices. Documentation of each asset including owner, purpose, patch status, and access controls. A formal onboarding process that routes new hardware and software through IT before deployment.
Control 9: Access Reviews
User accounts accumulate access over time as job responsibilities change. Former employees whose accounts are not promptly disabled, current employees with access beyond their current role, and service accounts with excessive permissions are common sources of unauthorized access to PHI.
Implement: Offboarding procedures that disable accounts the day an employee departs. Quarterly access reviews comparing current access grants against current job roles. Service account inventories with defined owners. Automatic account expiration for contractor and temporary accounts.
Control 10: Vulnerability Scanning
Regular vulnerability scanning identifies security gaps before attackers find them. Internal scans identify vulnerabilities on internal systems and networks. External scans simulate what an attacker on the internet can see and access.
Implement: Authenticated internal vulnerability scans monthly on all systems. Unauthenticated external scans on internet-facing services quarterly. Results tracked to remediation, not just documented. Annual penetration test conducted by a third party to validate scan findings and identify complex vulnerabilities.
Control 11: Incident Response Planning
An untested incident response plan provides false confidence. When a breach occurs, the time pressure, stress, and complexity of the situation makes improvisation costly. Organizations with practiced response plans contain incidents faster, reduce data loss, and meet HIPAA breach notification requirements more reliably.
Implement: A written incident response plan covering ransomware, PHI breach, and insider threat scenarios. Defined roles and responsibilities for the incident response team. Emergency contact information for legal, cyber insurance, and regulatory notification requirements. Annual tabletop exercises that simulate realistic breach scenarios.
Control 12: Medical Device Security
Internet-connected medical devices (infusion pumps, imaging equipment, monitoring systems) are increasingly targeted by attackers because they often run outdated operating systems and cannot be patched without manufacturer support. They represent a growing attack surface in clinical environments.
Implement: Inventory of all networked medical devices including manufacturer, model, operating system, and connection type. Network segmentation that isolates medical devices from administrative and clinical workstation networks. Disable remote access capabilities on medical devices that do not require them. Vendor contracts that include security update commitments for new device purchases.
Control 13: Security Awareness Training
Technical controls reduce risk but cannot eliminate the human factor. Staff who recognize phishing, understand data handling requirements, and know how to report security concerns are a meaningful layer of defense.
Implement: Annual HIPAA security training for all staff with PHI access. Regular phishing simulations with targeted training for staff who click. Clear, accessible procedures for reporting suspected security incidents. A culture where reporting security concerns is encouraged and not met with blame.
Control 14: Vendor and Third-Party Risk Management
Business associates with access to your network or PHI extend your attack surface. Third-party vendors are a common breach vector because they often have network access without the same security controls as your internal systems.
Implement: Security questionnaires for all vendors with network access or PHI access. BAA requirements as a condition of any PHI access. Vendor access provisioned through controlled channels (VPN with MFA, not direct network access). Vendor access reviewed and deprovisioned when no longer needed. Notification requirements in vendor contracts for security incidents.
Control 15: Logging and Monitoring
Security controls that do not generate logs cannot be audited. Logs that are not monitored do not detect threats in time to contain them. Centralized logging with alerting on security events is the nervous system of your security operations.
Implement: Centralized log management collecting logs from authentication systems, network devices, servers, and applications. Retention of security logs for at least one year in active storage (longer for HIPAA documentation requirements). Alerts configured for high-priority security events with defined escalation procedures. Regular log reviews to identify trends that individual alerts might miss.
For help implementing these controls in your healthcare organization's IT environment, review our healthcare IT security service or schedule a security assessment.
Futureaiit
AI & Technology Experts