Healthcare IT Security
Medical Practice IT Security Checklist for 2026
This checklist covers the 20 IT security controls that matter most for medical practices in 2026 โ organized into six categories: Network Security, Access Controls, Device Management, Vendor Management, Incident Response, and Backup & Recovery. Each item includes a one-line description and the specific reason it matters for healthcare. Run through it with your IT team, check off what you've done, and flag what you haven't.
Network Security
4 items ยท Protects the infrastructure PHI travels across
Configure next-gen firewall with intrusion detection
Why it matters: A basic firewall blocks traffic. A next-gen firewall with IDS inspects encrypted traffic, blocks malware C2 callbacks, and alerts on anomalous traffic patterns โ which is where most ransomware begins.
Segment Wi-Fi into clinical and guest networks
Why it matters: Waiting-room patients shouldn't share a network segment with EHR workstations. Network segmentation contains lateral movement โ if a patient device is compromised, it cannot reach clinical systems.
Require VPN with MFA for all remote access
Why it matters: Remote work is standard in healthcare. Without a VPN enforcing MFA, a compromised home router or VPN credential gives attackers direct access to your clinical network โ Change Healthcare style.
Disable unused ports and services on all servers
Why it matters: Every open port is a potential entry point. Run a quarterly port scan โ if Telnet, RDP on non-standard ports, or legacy protocols are active without a business reason, close them. RDP is the most common ransomware vector for SMBs.
Access Controls
4 items ยท Ensures only the right people see PHI
Enforce MFA on all accounts with EHR or email access
Why it matters: 81% of breaches involve compromised credentials. TOTP authenticator apps are minimal friction for a massive risk reduction. SMS-based MFA is better than nothing but phishing-resistant FIDO2 keys are the target state.
Implement role-based access control (RBAC) on the EHR
Why it matters: Everyone doesn't need everything. A billing specialist shouldn't have access to clinical notes; a front desk user doesn't need admin rights. RBAC enforces the minimum necessary standard HIPAA requires โ and limits blast radius when accounts are compromised.
Deprovision accounts within 24 hours of staff departure
Why it matters: Former employees with active credentials are a top cause of healthcare data breaches โ particularly when the departure wasn't amicable. Tie account lifecycle to your HR process, not individual memory. Quarterly orphan-account audits catch what slips through.
Enforce strong password policy (12+ chars, no reuse)
Why it matters: Credential stuffing attacks use leaked password databases. If your staff reuse passwords from personal accounts, a LinkedIn leak = your EHR is compromised. Enforce a password manager and block reuse across clinical systems.
Device Management
3 items ยท Controls every endpoint that touches PHI
Require full-disk encryption on all devices
Why it matters: Lost or stolen unencrypted laptops are consistently one of the top breach categories reported to OCR. BitLocker (Windows) and FileVault (Mac) are built in and free โ there's no excuse for PHI-bearing devices without encryption. It's also a HIPAA Technical Safeguard requirement.
Isolate medical devices (PACS, monitoring) on dedicated VLANs
Why it matters: Medical imaging systems, infusion pumps, and patient monitors often run legacy operating systems that cannot be patched. If they're on the same network as your EHR workstations, one vulnerable device becomes a pivot point for a full breach.
Create and enforce a written BYOD policy
Why it matters: Personal devices accessing clinical systems without a formal policy are the fastest-growing attack surface in small practices. Your BYOD policy should cover MDM enrollment requirements, screen lock enforcement, and remote wipe capability for anything accessing ePHI.
Vendor Management
3 items ยท HIPAA holds you responsible for all PHI handlers
Maintain an active BAA inventory for every PHI-handling vendor
Why it matters: "We signed a BAA" is not the same as "BAA is current." BAAs expire. Vendors get acquired. Business relationships change. An expired BAA with an active data connection is an active compliance liability โ and OCR treats it the same as no BAA at all.
Complete annual security questionnaires for top-5 critical vendors
Why it matters: Change Healthcare's breach exposed that a single unpatched Citrix gateway was the entry point. Your most critical vendors โ those with broad network access or large PHI datasets โ need a documented annual security review, even if it's just reviewing their SOC 2 report and noting it in your records.
Document vendor breach notification requirements and contacts
Why it matters: If a vendor gets breached, you need to know within hours โ not days. Your BAAs should specify breach notification timelines (OCR requires you to account for all PHI, including vendor-held). If you don't have a direct contact for your EHR vendor's security team, that's a gap.
Incident Response
3 items ยท The difference between a breach and a catastrophe
Write a one-page incident response plan with named contacts
Why it matters: HIPAA requires a written IR procedure. "We call our IT guy" isn't a plan. Your IR plan should name who makes containment decisions (with their personal cell), who to call in the first hour (breach counsel, cyber insurance), and what you disconnect first. Test it annually in a 30-minute tabletop walkthrough.
Conduct annual phishing and incident response training for all staff
Why it matters: Phishing is the top initial attack vector in healthcare breaches. Staff need to know what a phishing attempt looks like, how to report it without clicking it, and what happens if they accidentally do. A 20-minute annual refresher cuts click-through rates dramatically โ and it's one of HIPAA's Required Training specifications.
Know your OCR breach notification timeline (60 days from discovery)
Why it matters: The 60-day clock starts on the day you discover a breach โ not when you confirm it. OCR has fined practices specifically for missing this window. If your IR plan doesn't account for the notification timeline and media outreach requirements, you're already behind when an incident occurs.
Backup & Recovery
3 items ยท The only thing that makes ransomware survivable
Encrypt all backups and store them offline or in immutable cloud storage
Why it matters: Ransomware operators specifically target backups first โ if they encrypt your backups, the ransom goes up exponentially. Immutable cloud backups (AWS S3 Object Lock, Azure Immutable Blob) are the target. Network-attached backups that are always-online are still a target.
Test restore procedures at least quarterly
Why it matters: A backup that can't be restored is no backup at all. Most practices discover their restore process is broken at the worst possible moment. A quarterly restore test to a test environment confirms your backup chain works end-to-end and your staff knows the process.
Document your RTO (Recovery Time Objective) and test to it
Why it matters: How long can your practice go without access to the EHR? 4 hours? 24 hours? Define it. For most outpatient practices, a 24-48 hour downtime is operationally catastrophic. If your restore process takes 72 hours and your RTO is 24 hours, you have a gap โ and the gap isn't your backup, it's your RTO that was never set.
Not sure where your practice stands?
Stratavise's free technology risk assessment maps your IT security posture across all 20 of these controls and gives you a prioritized finding report โ no IT team required.
Take the Free Assessment → Takes under 10 minutes · Instant prioritized report · No signup required