The Digital Strategikon

Insights for the defenders of healthcare IT

Strategy, cybersecurity, and operational wisdom — drawn from the field and from a thousand years of defense-in-depth thinking.

July 10, 2026·10 min read

The Healthcare Employee Offboarding Checklist Nobody Runs on Time

When a healthcare employee leaves, their access should leave too. A practical same-day offboarding checklist to revoke ePHI access before it becomes a gap.

Access ControlHIPAASecurity Rule
July 10, 2026·4 min read

The Medtronic ShinyHunters Breach: What Small Practices Should Learn

A data-extortion group claims 9 million Medtronic records — yet the devices stayed safe. Here is what a small healthcare practice should learn from the breach.

RansomwareNetwork SecurityHealthcare
July 3, 2026·4 min read

Anubis Ransomware Is Exploiting Citrix Bleed 2: What to Check

Anubis ransomware is exploiting Citrix Bleed 2 (CVE-2025-5777) and abusing remote-support tools to reach healthcare. What a small practice should check now.

Network SecurityRansomwareHealthcare
July 3, 2026·11 min read

How to Secure Remote Access Tools in a Healthcare Practice

A plain-English guide to securing remote access tools in a small healthcare practice: what you have, how attackers abuse them, and how to harden them.

Network SecurityRemote WorkHIPAA
June 30, 2026·11 min read

Do I Have to Report a HIPAA Breach? A Small Practice's Guide

Who to notify, what counts as a reportable breach, and the 60-day clock. A plain-English guide to the HIPAA Breach Notification Rule for small practices.

HIPAABreach NotificationCompliance
June 30, 2026·4 min read

The Xsolis Breach: When a Vendor's Phishing Email Becomes Your Problem

A phishing attack on healthtech vendor Xsolis exposed 1.4M people's data, including SSNs. Here is what it means for the small practices its customers serve.

HealthcareThird-Party RiskHIPAA
June 19, 2026·4 min read

When Your PHI Lives in a Vendor's Cloud App: Lessons From the iRhythm Breach

iRhythm disclosed a breach of patient data in third-party cloud apps via social engineering. What a small healthcare practice should actually do about it.

HealthcareThird-Party RiskHIPAA
June 19, 2026·11 min read

Who Secures Your Patient Data in the Cloud? The Shared Responsibility Model for Healthcare SaaS

A practical shared-responsibility guide for healthcare practices using SaaS: who secures the platform, what you must configure, and where HIPAA fits today.

CloudHIPAASecurity Rule
June 16, 2026·14 min read

Weave App Blank Screen on Meraki: A Content-Filtering Fix

When the Weave app loads a blank screen on a Meraki network, content filtering is usually the cause. A firsthand diagnosis, the allowlist fix, and a checklist.

Managed ITNetwork SecurityHealthcare
June 15, 2026·12 min read

Who Needs to Sign Your BAA? A Practical Guide for MSPs

Why 'conduit exempt' rarely applies to MSP vendors, which downstream tools actually need BAAs, and how to build a defensible healthcare vendor BAA program.

HIPAABAAVendor Risk
June 12, 2026·4 min read

Check Point VPN Zero-Day: What Your Practice Should Do

A Check Point remote-access VPN flaw (CVE-2026-50751) is being exploited by Qilin ransomware affiliates. What a small healthcare practice should check now.

Network SecurityRansomwareHealthcare
June 12, 2026·11 min read

How to Secure Remote Access VPN for a Small Healthcare Practice

A plain-English guide to remote-access VPN security for small healthcare practices: why VPNs get breached, a hardening checklist, and when to move beyond a VPN.

Network SecurityRemote WorkHIPAA
June 12, 2026·4 min read

Critical Windows Netlogon Flaw: Patch Your Domain Controller Now

A critical Windows Netlogon flaw (CVE-2026-41089) is reportedly being exploited against domain controllers. What a small healthcare practice should check now.

Patch ManagementWindows ServerHealthcare
June 5, 2026·4 min read

When a Dental Benefits Vendor Is Breached: What Practices Should Do

DentaQuest confirmed a breach exposing 2.6 million accounts. Here is what a small dental or medical practice should actually do when a benefits vendor is hit.

HealthcareThird-Party RiskPhishing
June 5, 2026·11 min read

Email Security for Healthcare Practices: Stopping Phishing

How to stop phishing emails at a small medical or dental practice: SPF, DKIM, DMARC, staff triage, and a layered email-defense framework you can actually run.

Email SecurityPhishingHIPAA
June 2, 2026·11 min read

AI in Dentistry and Oral Surgery: The HIPAA Questions to Ask First

AI helps dental and oral surgery practices — but feeding patient data to a consumer AI model without a BAA is a HIPAA problem. How to adopt AI safely.

HIPAAArtificial IntelligenceBusiness Associates
June 1, 2026·4 min read

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

Device code phishing hijacks Microsoft 365 mailboxes without stealing a password — and standard MFA doesn't stop it. What it means for healthcare practices.

HIPAAMFAPhishing
June 1, 2026·11 min read

Vendor Risk Management for Small Healthcare Practices

Your patient data flows through dozens of outside companies. A practical way for a small practice to manage third-party and vendor risk on a real budget.

HIPAAVendor RiskBAA
May 31, 2026·9 min read

Beyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy

The 3-2-1 rule was the gold standard for decades. Modern ransomware exposed its weakness. Here is why healthcare practices need to move to 3-2-1-1-0 — and how to know your backups will actually work when everything goes wrong.

BackupData ProtectionRansomware
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.

Network SecuritySegmentationHealthcare
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.

Cyber InsuranceHIPAAHealthcare
May 21, 2026·9 min read

HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now

There are two layers to the HIPAA Security Rule landscape in 2026: the current enforceable rule and a proposed update from HHS. Here is a calm, practical breakdown of what's required today and what's coming.

HIPAAComplianceSecurity Rule
May 16, 2026·9 min read

Why Your HIPAA Risk Analysis Cannot Be a Checkbox Exercise

A HIPAA risk analysis is not a form to fill out once a year. It's a structured process of technical discovery, ePHI mapping, vulnerability assessment, and remediation tracking — and the difference matters when OCR comes asking.

HIPAARisk AnalysisCompliance
May 12, 2026·8 min read

Where Is Your ePHI? A Practical Guide to Asset Inventories and Network Maps

Most clinics dramatically underestimate how many systems touch protected health information. A current asset inventory and network map are the foundation of security — and an expected control under the proposed HIPAA rule.

HIPAAAsset InventoryNetwork Map
May 7, 2026·9 min read

The 72-Hour Recovery Conversation Every Healthcare Practice Should Have

If your systems went down right now, how would you still see patients? A practical look at downtime, backups, EHR access, phones, imaging, claims, prescriptions, and emergency-mode operations.

Business ContinuityDisaster RecoveryHealthcare
May 2, 2026·8 min read

Encryption at Rest and in Transit: What That Actually Means for a Doctor's Office

Encryption sounds technical, but for a practice it comes down to concrete questions about laptops, servers, email, backups, cloud storage, VPNs, and messaging. Here's what the terms actually mean for you.

EncryptionHIPAAHealthcare
April 27, 2026·9 min read

HIPAA Incident Response: What Happens in the First 24 Hours Matters

When a security incident hits a practice, the first 24 hours shape everything that follows. A practical guide to reporting paths, containment, escalation, insurer notice, evidence handling, and keeping patient care going.

Incident ResponseHIPAAHealthcare
April 22, 2026·8 min read

Business Associates, BAAs, and MSPs: Who Is Responsible for What?

A signed Business Associate Agreement does not magically make a vendor secure. Here's what a BAA actually does, what it doesn't, and why your practice still needs real oversight and documentation.

HIPAABusiness AssociatesVendor Management
August 12, 2025·12 min read

The Digital Strategikon: Origins and Historical Significance

How a 6th-century Byzantine military manual on defense-in-depth and layered fortification maps perfectly onto modern cybersecurity doctrine.

HistoryStrategyByzantine
June 30, 2025·10 min read

Modern IT Operations: Best Practices for 2025

A practical framework for healthcare practices to manage IT operations in 2025 — monitoring, automation, patching, and building resilience without an enterprise budget.

IT OperationsMonitoringAutomation
June 14, 2025·8 min read

HIPAA Compliance for Small Clinics: A Practical Guide

A plain-English breakdown of HIPAA's four rules, what they mean for small practices, and where to focus your compliance energy first.

HIPAAComplianceHealthcare
May 31, 2025·7 min read

EDR vs. Traditional Antivirus: What Should Your Organization Choose?

Traditional antivirus catches known threats. EDR catches what antivirus misses. Here's what the difference means for a healthcare practice in 2025.

CybersecurityEDRAntivirus
May 14, 2025·9 min read

Cost Optimization in Cloud and On-Premises IT: A Strategic Approach

Healthcare practices often overpay for IT infrastructure or underpay in ways that create risk. Here's how to find and close those gaps strategically.

Cost OptimizationCloudInfrastructure
April 30, 2025·6 min read

VoIP Reliability and Call Quality: Engineering Excellence for Healthcare

Poor call quality in a healthcare practice isn't just an annoyance — it disrupts patient communication and erodes trust. Here's how to engineer VoIP that actually works.

VoIPHealthcareCommunications
April 14, 2025·8 min read

Security Awareness Training That Actually Works: Beyond Click-Through Compliance

Annual click-through training satisfies an auditor but doesn't change behavior. Here's what security awareness that actually reduces risk looks like in a healthcare practice.

Security TrainingCybersecurityHuman Factors
March 14, 2025·9 min read

Building a Secure Remote Work Stack: Beyond VPN and Hope

A VPN alone doesn't make remote work secure. Here's how healthcare practices can build a remote access architecture that protects ePHI without destroying the user experience.

Remote WorkSecurityVPN