HIPAA Security Rule

The HIPAA Security Rule, made practical

The Security Rule protects electronic protected health information (ePHI) through administrative, physical, and technical safeguards. This hub brings together everything a small medical or dental practice needs — what's required today, what the 2025 proposed update signals, and the concrete controls that actually move the needle — without the fearmongering.

The honest version: the current Security Rule remains in effect and enforced. A proposed update from HHS/OCR (published early 2025) signals where requirements are heading, but it is not yet law. Our goal here is to help you meet today's obligations and position sensibly for what's proposed — and to strengthen your security posture, not to scare you into a panic purchase.

Technical safeguards

The technical controls that protect ePHI in practice — access, encryption, monitoring, and segmentation.

May 31, 2026 · 12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication: where it matters most and common clinic mistakes.

Read article
May 2, 2026 · 8 min read

Encryption at Rest and in Transit: What That Actually Means for a Doctor's Office

What encryption at rest and in transit actually means for a doctor's office.

Read article
May 31, 2025 · 7 min read

EDR vs. Traditional Antivirus: What Should Your Organization Choose?

Modern endpoint defense vs. legacy antivirus.

Read article
May 29, 2026 · 8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

Network segmentation: keeping guest Wi-Fi away from clinical systems.

Read article
Jun 1, 2026 · 4 min read

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

How device code phishing bypasses MFA on Microsoft 365 — and how to shut it down.

Read article
Jun 5, 2026 · 11 min read

Email Security for Healthcare Practices: Stopping Phishing

A layered email-defense model — SPF/DKIM/DMARC, staff triage, and response — to stop phishing.

Read article
Jun 12, 2026 · 11 min read

How to Secure Remote Access VPN for a Small Healthcare Practice

Securing remote-access VPNs: why they get breached, a hardening checklist, and VPN vs. ZTNA.

Read article
Jun 19, 2026 · 11 min read

Who Secures Your Patient Data in the Cloud? The Shared Responsibility Model for Healthcare SaaS

The cloud shared-responsibility model — which SaaS security settings you must configure to protect ePHI.

Read article
Jul 17, 2026 · 12 min read

How to Audit Third-Party App Access to Your Healthcare SaaS

Connected apps and OAuth tokens can reach ePHI without triggering MFA — how to inventory, scope, and revoke third-party app access.

Read article
Jul 17, 2026 · 15 min read

HIPAA Audit Controls: Logging and Reviewing Who Accessed ePHI

Audit controls: logging and actually reviewing who accessed ePHI — the required safeguard practices most often leave half-done.

Read article
Jul 3, 2026 · 11 min read

How to Secure Remote Access Tools in a Healthcare Practice

RMM and remote-support tools are a top attacker pathway — how to inventory, harden, and monitor remote access to ePHI.

Read article
Jul 3, 2026 · 4 min read

Anubis Ransomware Is Exploiting Citrix Bleed 2: What to Check

Citrix Bleed 2 (CVE-2025-5777) in the wild: why a gateway flaw plus abused remote-support tools should prompt a remote-access review.

Read article

Not sure where your practice stands?

Start with a free HIPAA self-assessment, or talk with a healthcare-IT expert who works with practices like yours every day. No jargon, no sales pressure.

About this work: read the origins of The Digital Strategikon — why we publish a working library on the HIPAA Security Rule instead of a sales brochure.