Back to all insights
Network SecurityRemote WorkHIPAASecurity RuleHealthcare

How to Secure Remote Access VPN for a Small Healthcare Practice

Edward Stratton · · 11 min read

The Quiet Workhorse That Became a Target

For most small practices, the remote-access VPN started as a convenience. A provider wanted to finish notes from home. The billing manager needed to reach the practice management system on a snow day. Someone set up a VPN, it worked, and everyone moved on. Years later, that same VPN is often the single most exposed, least-watched part of the network — an always-on door to ePHI that sits on the public internet, waiting for anyone who knows the address.

Attackers know the address. Edge devices like VPN gateways and firewalls are among the most reliably exploited entry points in healthcare ransomware, precisely because they are internet-facing, frequently unpatched, and trusted once you are through them. The point of this guide is not to scare you off remote access — your practice legitimately needs it. It is to show you, in plain English, how to secure remote access VPN for a small medical practice without an enterprise budget or a full-time security team.

We will cover why VPNs get breached, a concrete hardening checklist you can hand to your IT provider, how to decide between a traditional VPN and newer zero-trust access, and where all of this fits in your HIPAA obligations.

How to Secure Remote Access VPN for a Small Practice: The Short Version

If you remember nothing else: inventory every way into your network, patch the VPN gateway first, require multi-factor authentication for every remote login, retire deprecated protocols, segment what sits behind the tunnel, and watch the logs. The rest of this guide explains why each of those matters and how to do them on a small-practice budget. None of it requires an enterprise security team — most of it is configuration and discipline.

A VPN does one job well: it creates an encrypted tunnel. It was never designed to decide who should be trusted once they are inside — and that gap is where most remote-access breaches happen.

Why Remote-Access VPNs Get Breached

If you understand the handful of ways VPNs actually fail, the rest of this guide becomes obvious. Breaches almost always trace back to one of these:

Unpatched gateway software

VPN appliances run software, and that software has vulnerabilities. When a vendor discloses a critical flaw, attackers reverse-engineer the patch within days and scan the entire internet for devices that have not updated. A small practice that patches its laptops but forgets the VPN appliance is leaving the most valuable door unlocked. This is the most common cause of edge-device compromise, full stop.

Stolen or weak credentials

If your VPN accepts a username and password alone, a single phished or reused credential is enough to log in as a legitimate user. Healthcare staff reuse passwords like everyone else, and credential-stuffing tools test stolen logins by the million. Without a second factor, the VPN trusts whoever types the right string.

Deprecated protocols and legacy clients

Older VPN configurations support outdated authentication protocols and legacy client software for backward compatibility. Those legacy paths are frequently where vulnerabilities live, and where attackers aim. A configuration that “just works” because it accepts everything old is a configuration that accepts attackers, too.

Flat networks behind the tunnel

This one turns a small problem into a catastrophe. If your VPN drops a remote user onto the same network as your servers, backups, and clinical workstations — with no internal segmentation — then one compromised VPN session reaches everything. The breach stops being “someone got in” and becomes “someone got in and could touch the entire practice.”

No monitoring

A VPN login at 3 a.m. from an unfamiliar country is the kind of event that should raise a flag. In many small practices, no one is looking. Attackers count on that silence; it is the difference between an incident caught in an hour and one discovered after the ransomware note appears.

A Remote-Access Hardening Checklist for Small Practices

Here is the practical core of this guide: a hardening checklist you can work through with your MSP or IT provider. It is ordered roughly by impact-per-effort, so even doing the first five materially raises the bar.

  1. Inventory what you actually have. Identify every remote-access path into the practice — the VPN appliance, any cloud VPN, vendor remote-support tools, and any “temporary” access someone set up and forgot. You cannot secure what you have not listed. This pairs directly with knowing where your ePHI lives through asset inventories and network maps.
  2. Patch the gateway on a schedule, and immediately for critical flaws. Treat the VPN appliance as your highest-priority patch target, ahead of ordinary workstations. Subscribe to your vendor’s security advisories so a critical bulletin reaches a human.
  3. Require multi-factor authentication on every remote login. No exceptions, including for owners and administrators. MFA is the single highest-value control for remote access, and phishing-resistant methods (passkeys, FIDO2 keys) are stronger than SMS or app codes — NIST’s digital identity guidance explicitly rates SMS-based one-time codes as a weaker (“restricted”) authenticator and points organizations toward phishing-resistant factors (NIST SP 800-63B). See MFA for healthcare and where it matters most.
  4. Retire deprecated protocols and legacy clients. Configure the VPN to use only modern authentication, and remove support for legacy remote-access clients you no longer use. Every legacy path you disable is attack surface you delete.
  5. Segment the network behind the VPN. Remote users should land in a restricted zone that can reach only what their role requires — not the flat network that contains your servers and backups. Segmentation is what keeps one breached session from becoming a practice-wide ransomware event. The same principle underlies why guest Wi-Fi should never touch your clinical network.
  6. Apply least privilege to remote accounts. A front-desk login does not need server access. Scope each remote account to the minimum systems and data its job requires, and remove access the day someone leaves.
  7. Enforce device health for connecting endpoints. A home laptop with no encryption, no patching, and no endpoint protection is a liability even over an encrypted tunnel. Where possible, require that connecting devices meet a baseline (disk encryption, current OS, active endpoint defense). Pair this with modern endpoint protection over legacy antivirus.
  8. Turn on logging and review it. Enable VPN connection logging and have someone — your MSP, ideally — review for anomalies: new accounts, impossible-travel logins, off-hours access, repeated failures. Alerting beats archiving.
  9. Set session limits and timeouts. Idle sessions should disconnect; concurrent sessions should be bounded. This shrinks the window an attacker has with a hijacked session.
  10. Decommission what you do not use. The most secure remote-access path is the one that no longer exists. Close vendor access after a project ends; remove dormant accounts and unused tunnels.

Working through this list does not require buying a new product. Most items are configuration and discipline — exactly the kind of “real protection, not subscription-only theater” a small practice deserves.

VPN or ZTNA: Which Does a Small Practice Need?

You may have heard that “the VPN is dead” and that everyone should move to Zero Trust Network Access (ZTNA). The honest answer for a small practice is more nuanced. A well-hardened VPN is perfectly defensible; a poorly configured anything is not. The real question is whether your situation has outgrown what a VPN does well.

The core difference: a VPN connects a device to a network and then largely trusts it. ZTNA connects a verified user and device to a specific application, re-checking trust continuously, and never exposes the broader network at all. ZTNA embodies “never trust, always verify”; a VPN, by design, grants broad network trust once you are through the tunnel.

ConsiderationTraditional remote-access VPNZero Trust Network Access (ZTNA)
What it connects you toThe network (broad access once inside)A specific application or resource only
Default trust modelTrust the device after authenticationVerify user + device continuously, per resource
Blast radius if compromisedPotentially the whole flat networkLimited to the specific app the session was scoped to
Internet exposureGateway is publicly reachable and scannableApps are not directly exposed; access is brokered
Best fitA few trusted staff reaching internal systemsMany users/contractors, cloud apps, or BYOD at scale
Effort to run wellModest, if you follow the hardening checklistHigher initial setup; often a subscription service

For a small practice with a handful of trusted staff and a few internal systems, a hardened VPN with MFA and segmentation is often the right, affordable choice. Consider ZTNA when you have more remote users than you can personally vouch for, significant contractor or vendor access, a shift to cloud-hosted clinical apps, or a bring-your-own-device reality you cannot fully control. The decision is about exposure and scale, not hype — and you do not have to make it alone.

Where Remote Access Fits in the HIPAA Security Rule

Does a remote-access VPN satisfy the HIPAA Security Rule? A VPN is a useful tool, but no single product makes a practice compliant — the Security Rule is technology-neutral and risk-based, asking for administrative, physical, and technical safeguards working together, sized to your risk (HHS Summary of the HIPAA Security Rule). Remote access touches several of them directly:

  • Access control (technical safeguard): unique user identification, and access scoped to the minimum necessary. MFA, least privilege, and per-role scoping all serve this.
  • Transmission security (technical safeguard): protecting ePHI in transit. The VPN’s encrypted tunnel is part of this story, alongside encryption of the data itself.
  • Audit controls (technical safeguard): the logging and review step above is not optional housekeeping; it is the Security Rule expectation that you can see who accessed what.
  • Risk analysis (administrative safeguard): your remote-access setup should be evaluated in your risk analysis — what is exposed, how it could be exploited, and what you are doing about it. Remote access is a textbook entry on that register; see why risk analysis cannot be a checkbox.

In other words, securing remote access is not a side quest — it is one of the clearer places where good IT practice and the Security Rule line up. The goal is to strengthen your security posture and support your HIPAA Security Rule efforts; no vendor, including us, can promise a flaw-proof network.

Common Mistakes We See in the Field

A few patterns show up again and again in small-practice remote access:

  • “Set it and forget it.” The VPN was configured once, years ago, and never patched, reviewed, or re-scoped. Treat it as living infrastructure.
  • Shared accounts. A single “remote” login passed around the office defeats audit controls and least privilege. Every person gets their own account.
  • MFA for some, not all. Owners and “trusted” long-time staff are often the ones exempted — and the ones attackers most want. MFA is for everyone.
  • Vendor access left open. A software vendor or contractor was given remote access for a project that ended months ago. Close it.
  • No plan for a bad day. Even a well-secured VPN can be breached. Knowing what you would do in the first 24 hours of an incident is part of remote-access security, not separate from it.

The Byzantine Takeaway

Remote access is not the enemy — an unwatched, unpatched, over-trusted remote-access path is. The durable wins are unglamorous and affordable: inventory every path in, patch the gateway first, require MFA for everyone, retire legacy protocols, segment the network so one breach is not total, and actually look at the logs. Decide between a hardened VPN and ZTNA based on your real exposure and scale, not on marketing.

If you do only three things this week, do these: turn on MFA for every remote login, confirm your VPN appliance is fully patched, and check that a remote user cannot reach your backups directly. Those three changes shrink your most dangerous attack surface dramatically — and they are exactly the kind of practical, team-effort security a small practice can own. For the broader framework, start with our HIPAA Security Rule resource hub.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 12, 2026·4 min read

Check Point VPN Zero-Day: What Your Practice Should Do

A Check Point remote-access VPN flaw (CVE-2026-50751) is being exploited by Qilin ransomware affiliates. What a small healthcare practice should check now.
June 12, 2026·4 min read

Critical Windows Netlogon Flaw: Patch Your Domain Controller Now

A critical Windows Netlogon flaw (CVE-2026-41089) is reportedly being exploited against domain controllers. What a small healthcare practice should check now.
June 5, 2026·4 min read

When a Dental Benefits Vendor Is Breached: What Practices Should Do

DentaQuest confirmed a breach exposing 2.6 million accounts. Here is what a small dental or medical practice should actually do when a benefits vendor is hit.