← Back to Blog

10 HIPAA Security Tips Your Practice Can Actually Implement This Week

Small, Done Beats Big, Someday

The reason HIPAA security stalls in most practices is not laziness — it is scale. The advice is framed as enormous projects ("implement a security program"), so it never starts. But the breaches that actually happen rarely exploit the absence of some grand program. They exploit small, specific, fixable gaps: a shared password, an account that was never disabled, a backup nobody tested. Close enough of those and you have meaningfully reduced your risk, regardless of how mature the rest of your program is. Here are ten you can finish this week.

1. Turn On Multi-Factor Authentication Everywhere It Exists

If you do one thing on this list, do this. Credential theft — not exotic hacking — is the initial access vector behind a large share of healthcare breaches. MFA defeats a stolen password. Start with the highest-value accounts: email, the EHR, remote access, and any cloud administrative console. Most platforms have it built in and switched off by default. Switching it on is a settings change, not a project.

2. Find and Kill Shared Logins

The "front desk" account that three people use. The admin password taped under a keyboard. Shared credentials destroy accountability — when something happens, your audit logs cannot tell you who. Make a list of every shared login this week and start converting them to individual accounts. You cannot investigate, and you cannot honestly attest to access controls, while shared logins exist.

3. Disable One Departed Employee's Account

Pull your active-account list and compare it to your current staff roster. Almost every practice that does this finds at least one account belonging to someone who left months ago — a standing, unmonitored door into your systems. Disable it today. Then make same-day access revocation part of your offboarding so it never recurs.

4. Verify Your Backups Actually Restore

A backup you have never tested is a hope, not a control. This week, pick one critical system and actually restore a file from backup to confirm the process works and the data is intact. Ransomware is the dominant threat in healthcare, and a tested, offline backup is the difference between a bad week and a closed practice. Confirm the backup is isolated enough that ransomware cannot encrypt it too.

5. Patch Your Internet-Facing Systems First

You cannot patch everything at once, so start where attackers start: anything reachable from the internet — firewalls, VPNs, remote-access tools, public-facing servers. Check each for available updates and apply them. These are the systems that show up on the CISA KEV catalog being actively exploited, and they are your perimeter.

6. Lock Your Screens Automatically

An unattended, unlocked workstation in an open clinical area is an unauthorized-access incident waiting to happen. Set screens to lock automatically after a few minutes of inactivity, on every device. It is a group-policy or settings change you can push this week, and it closes one of the most common and most preventable physical-access gaps.

7. Inventory Where PHI Actually Lives

You cannot protect data you have lost track of. Spend an hour listing every place PHI actually resides — the EHR, yes, but also email, scanned documents, that old server in the closet, staff phones, cloud drives, and any spreadsheet someone exported "just to work on at home." The exercise almost always surfaces a copy of PHI nobody was protecting because nobody remembered it existed.

8. Confirm You Have a BAA for Every Vendor That Touches PHI

List your vendors. For each one that creates, receives, maintains, or transmits PHI on your behalf, confirm you have a signed business associate agreement on file. Missing BAAs are a perennial enforcement finding and a five-minute discovery exercise. If one is missing, that is this week's follow-up call.

9. Send a Phishing Reminder — and Make It Specific

Phishing is how credentials get stolen, and credentials are how breaches start. You do not need a formal campaign this week to make progress — a short, specific reminder to staff about the exact lures targeting healthcare (fake EHR login pages, urgent "IT" requests, payment-change emails) keeps awareness fresh. For lasting change, build it into recurring training that changes behavior rather than a once-a-year video.

10. Write Down Who to Call at 2 A.M.

If you discovered a breach tonight, would your staff know who to notify and in what order? Create a one-page incident contact sheet: who declares an incident, who calls the IT provider, who handles legal and notification obligations, and the after-hours numbers for each. The middle of a crisis is the worst time to be searching for a phone number. This is the cheapest control on the list and one of the most valuable.

The Compounding Effect

None of these ten is dramatic on its own. But together they close the exact gaps that the breach data and the 2026 enforcement record keep pointing to: stolen credentials, stale access, untested backups, unpatched perimeters, and unowned data. Do these this week, and next week you will be measurably harder to breach than you are today — which is the only metric that ultimately matters.

Related Reading

Call to Action

Want a running checklist that tracks all of this for you — and proves you did it? Schedule a walkthrough of HIPAA Security Suite, or take the 3-minute readiness quiz to see which of these ten gaps is your biggest right now.

Ready to simplify your HIPAA compliance?

See how HIPAA Security Suite can protect your organization.

Request a Demo