A six-doctor optometry practice in Plano called because the office manager couldn't manage it anymore. Twenty-seven inboxes. Patient SSNs and PHI moving every day. No MFA. No email security. No SOC. No EDR. Nobody had been hacked yet, which is exactly why the gaps had survived this long. A real HIPAA risk assessment would have surfaced them before an OCR audit or a breach did. Here's what we found, what got deployed, and what any small healthcare practice should test in its own environment.
The 60-second version
- The practice: Six doctors, 27 email users, millions in annual patient revenue. Plano, TX.
- The gap: No MFA. No email security beyond M365 defaults. No 24/7 SOC. No EDR. PHI (including patient SSNs) on workstations and in email.
- How they found us: The office manager Googled. "It's just gotten to be too much."
- What got deployed: Phased rollout: email security, MFA, EDR, 24/7 SOC, SSO to offset the friction doctors hate.
- The point: A HIPAA risk assessment is supposed to find the gaps before the incident does. The question isn't "are we likely to get hacked?" The question is "what would an auditor or a patient see if these records leaked tomorrow?"
The call that started it
The office manager's first sentence said the whole problem.
She said, it's just gotten to be too much. I can't manage the day-to-day office and then try to figure out what's going on with email security and the people that are asking questions. I can no longer do it. I need somebody to help me. And I really don't know what I'm asking for because I've never done this before.
— Farzad Vahid, Founder and CEO, Fornida
I don't know what I'm asking for. It's the sentence we hear most from healthcare practices this size. They know they need help; they don't know what kind, or what to call it. The office manager had inherited IT from a doctor's son who'd moved on. The practice grew. The IT didn't.
This is the 20-employee tipping point in healthcare. Below it, one person can run IT alongside everything else. Above it, the cracks show, and the office manager feels them long before any incident does.
What we found inside
The compliance exposure wasn't theoretical.
They have PII data, which is people's personal information. They have social security numbers, they have all this information, and if you're not protecting it... they didn't have multifactor, they didn't have email security, they didn't have a SOC.
— Farzad Vahid
The dollar shape makes it legible to a non-technical buyer:
They do millions of dollars a year with patients... if you get hacked and you leak this PII data, depending on what state you're in, you get fined per user credentials that you lost. So it could be very costly. So much so that you've shut down.
— Farzad Vahid
A practice on M365 defaults isn't running on nothing, but a HIPAA risk assessment isn't grading you on whether something is enabled. It's grading whether the technical safeguards around PHI are actually in place: MFA enforcement, email security, EDR, monitoring, and a defensible operational process behind them. Here, they weren't.
The education-led conversation, not the fear pitch
The office manager's worry wasn't cost. It was the doctors.
I was like, look, there are gonna be some aspects of your business that will be slowed down from putting in all these cybersecurity measures. However, it'll be offset with some of the things that we do to speed things up. A good example would be like single sign-on so they don't have to go into every single place and do multifactor and all.
— Farzad Vahid
This is what closes deals in healthcare: pairing the friction with the relief. Doctors reject MFA the third time it interrupts a patient encounter. SSO plus an Intune policy means credentials get entered once a day, not eleven times. Security up, friction down, but only if somebody designs the rollout that way.
What got deployed, and how
The deployment philosophy matters as much as the tool list.
We try to limit the interruptions and maximize the efficiency. You go in and you wanna rip and replace everything. One, it's very costly. And two, it's very difficult because everybody in that environment has to learn an entire new system and process.
— Farzad Vahid
Phased, not rip-and-replace. Email security and MFA early; SSO alongside MFA so the friction never hits the doctors unaccompanied; EDR in the background; the 24/7 SOC tuned to the practice's baseline over weeks.
What this means for any small healthcare practice
The takeaway isn't the tool stack. It's the questions.
A HIPAA risk assessment is supposed to surface operator-grade gaps, not just generate a checkbox PDF. Per-credential fines apply when records leak. Audit findings apply when controls are missing, breach or no breach. The useful question is not "have we been hacked?" The useful question is "if a HIPAA auditor walked in tomorrow, what would they find first?"
SSO and MFA aren't enterprise luxuries. They're the baseline for any environment touching PHI. Most small practices don't have them because nobody packaged the rollout in a way the doctors won't reject. That's a vendor problem.
Ask any IT vendor: How do you run a HIPAA risk assessment? What technical safeguards do you verify first? Do you stock hardware for next-day replacement? Are there engineers, not technicians, on the help desk? Do you run a 24/7 SOC, or outsource one? Have you ever rebuilt a client's environment after a breach? If a vendor can't answer concretely, the compliance language on their site doesn't mean much.
See what an auditor would see, before the auditor does
The gaps a HIPAA auditor flags are mostly the same gaps a threat actor would exploit. We run a free vulnerability scan that surfaces both: the configuration weaknesses, the missing controls, the exposed credentials. The things that show up on an OCR audit checklist and a threat actor's reconnaissance pass.
We've already uncovered hundreds of critical issues for other clients with this scan. Most at practices that thought they were fine.
Book the free scan. Thirty minutes. We show you what's exposed before someone else does.
