The Digital Strategikon
Insights for the defenders of healthcare IT
Strategy, cybersecurity, and operational wisdom — drawn from the field and from a thousand years of defense-in-depth thinking.
MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong
Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
Read the essayThe Healthcare Employee Offboarding Checklist Nobody Runs on Time
When a healthcare employee leaves, their access should leave too. A practical same-day offboarding checklist to revoke ePHI access before it becomes a gap.
The Medtronic ShinyHunters Breach: What Small Practices Should Learn
A data-extortion group claims 9 million Medtronic records — yet the devices stayed safe. Here is what a small healthcare practice should learn from the breach.
Anubis Ransomware Is Exploiting Citrix Bleed 2: What to Check
Anubis ransomware is exploiting Citrix Bleed 2 (CVE-2025-5777) and abusing remote-support tools to reach healthcare. What a small practice should check now.
How to Secure Remote Access Tools in a Healthcare Practice
A plain-English guide to securing remote access tools in a small healthcare practice: what you have, how attackers abuse them, and how to harden them.
Do I Have to Report a HIPAA Breach? A Small Practice's Guide
Who to notify, what counts as a reportable breach, and the 60-day clock. A plain-English guide to the HIPAA Breach Notification Rule for small practices.
The Xsolis Breach: When a Vendor's Phishing Email Becomes Your Problem
A phishing attack on healthtech vendor Xsolis exposed 1.4M people's data, including SSNs. Here is what it means for the small practices its customers serve.
When Your PHI Lives in a Vendor's Cloud App: Lessons From the iRhythm Breach
iRhythm disclosed a breach of patient data in third-party cloud apps via social engineering. What a small healthcare practice should actually do about it.
Who Secures Your Patient Data in the Cloud? The Shared Responsibility Model for Healthcare SaaS
A practical shared-responsibility guide for healthcare practices using SaaS: who secures the platform, what you must configure, and where HIPAA fits today.
Weave App Blank Screen on Meraki: A Content-Filtering Fix
When the Weave app loads a blank screen on a Meraki network, content filtering is usually the cause. A firsthand diagnosis, the allowlist fix, and a checklist.
Who Needs to Sign Your BAA? A Practical Guide for MSPs
Why 'conduit exempt' rarely applies to MSP vendors, which downstream tools actually need BAAs, and how to build a defensible healthcare vendor BAA program.
Check Point VPN Zero-Day: What Your Practice Should Do
A Check Point remote-access VPN flaw (CVE-2026-50751) is being exploited by Qilin ransomware affiliates. What a small healthcare practice should check now.
How to Secure Remote Access VPN for a Small Healthcare Practice
A plain-English guide to remote-access VPN security for small healthcare practices: why VPNs get breached, a hardening checklist, and when to move beyond a VPN.
Critical Windows Netlogon Flaw: Patch Your Domain Controller Now
A critical Windows Netlogon flaw (CVE-2026-41089) is reportedly being exploited against domain controllers. What a small healthcare practice should check now.
When a Dental Benefits Vendor Is Breached: What Practices Should Do
DentaQuest confirmed a breach exposing 2.6 million accounts. Here is what a small dental or medical practice should actually do when a benefits vendor is hit.
Email Security for Healthcare Practices: Stopping Phishing
How to stop phishing emails at a small medical or dental practice: SPF, DKIM, DMARC, staff triage, and a layered email-defense framework you can actually run.
AI in Dentistry and Oral Surgery: The HIPAA Questions to Ask First
AI helps dental and oral surgery practices — but feeding patient data to a consumer AI model without a BAA is a HIPAA problem. How to adopt AI safely.
Device Code Phishing Is Bypassing MFA: What Small Practices Should Do
Device code phishing hijacks Microsoft 365 mailboxes without stealing a password — and standard MFA doesn't stop it. What it means for healthcare practices.
Vendor Risk Management for Small Healthcare Practices
Your patient data flows through dozens of outside companies. A practical way for a small practice to manage third-party and vendor risk on a real budget.
Beyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy
The 3-2-1 rule was the gold standard for decades. Modern ransomware exposed its weakness. Here is why healthcare practices need to move to 3-2-1-1-0 — and how to know your backups will actually work when everything goes wrong.
Why Guest Wi-Fi Should Never Touch Your Clinical Network
A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security
Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.
HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now
There are two layers to the HIPAA Security Rule landscape in 2026: the current enforceable rule and a proposed update from HHS. Here is a calm, practical breakdown of what's required today and what's coming.
Why Your HIPAA Risk Analysis Cannot Be a Checkbox Exercise
A HIPAA risk analysis is not a form to fill out once a year. It's a structured process of technical discovery, ePHI mapping, vulnerability assessment, and remediation tracking — and the difference matters when OCR comes asking.
Where Is Your ePHI? A Practical Guide to Asset Inventories and Network Maps
Most clinics dramatically underestimate how many systems touch protected health information. A current asset inventory and network map are the foundation of security — and an expected control under the proposed HIPAA rule.
The 72-Hour Recovery Conversation Every Healthcare Practice Should Have
If your systems went down right now, how would you still see patients? A practical look at downtime, backups, EHR access, phones, imaging, claims, prescriptions, and emergency-mode operations.
Encryption at Rest and in Transit: What That Actually Means for a Doctor's Office
Encryption sounds technical, but for a practice it comes down to concrete questions about laptops, servers, email, backups, cloud storage, VPNs, and messaging. Here's what the terms actually mean for you.
HIPAA Incident Response: What Happens in the First 24 Hours Matters
When a security incident hits a practice, the first 24 hours shape everything that follows. A practical guide to reporting paths, containment, escalation, insurer notice, evidence handling, and keeping patient care going.
Business Associates, BAAs, and MSPs: Who Is Responsible for What?
A signed Business Associate Agreement does not magically make a vendor secure. Here's what a BAA actually does, what it doesn't, and why your practice still needs real oversight and documentation.
The Digital Strategikon: Origins and Historical Significance
How a 6th-century Byzantine military manual on defense-in-depth and layered fortification maps perfectly onto modern cybersecurity doctrine.
Modern IT Operations: Best Practices for 2025
A practical framework for healthcare practices to manage IT operations in 2025 — monitoring, automation, patching, and building resilience without an enterprise budget.
HIPAA Compliance for Small Clinics: A Practical Guide
A plain-English breakdown of HIPAA's four rules, what they mean for small practices, and where to focus your compliance energy first.
EDR vs. Traditional Antivirus: What Should Your Organization Choose?
Traditional antivirus catches known threats. EDR catches what antivirus misses. Here's what the difference means for a healthcare practice in 2025.
Cost Optimization in Cloud and On-Premises IT: A Strategic Approach
Healthcare practices often overpay for IT infrastructure or underpay in ways that create risk. Here's how to find and close those gaps strategically.
VoIP Reliability and Call Quality: Engineering Excellence for Healthcare
Poor call quality in a healthcare practice isn't just an annoyance — it disrupts patient communication and erodes trust. Here's how to engineer VoIP that actually works.
Security Awareness Training That Actually Works: Beyond Click-Through Compliance
Annual click-through training satisfies an auditor but doesn't change behavior. Here's what security awareness that actually reduces risk looks like in a healthcare practice.
Building a Secure Remote Work Stack: Beyond VPN and Hope
A VPN alone doesn't make remote work secure. Here's how healthcare practices can build a remote access architecture that protects ePHI without destroying the user experience.
No articles match your search.