Some things in life have a finish line. Cybersecurity is not one of them. There’s no victory lap, no tape to break, and definitely no moment where you can say, “Cool, we’re done here.” This episode dives into why cybersecurity is a never-ending process, what regulators are really telling organizations through their guidance, and how the most common security failures still come down to the basics—patching, cleaning up old systems, and actually paying attention. If you’ve ever hoped you could “set it and forget it” with security, this conversation explains why that mindset is exactly what gets people into trouble.
In this episode:
There Is No Finish Line in Cybersecurity- Ep 546
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
There Is No Finish Line in Cybersecurity
[00:40]System Hardening and Protecting ePHI – January 2026 OCR Cybersecurity Newsletter | HHS.gov
Three Core Hardening Actions OCR Highlights
A. Patching Known Vulnerabilities
- Software that’s outdated = low-hanging fruit for attackers.
- Note that they mentioned in the newsletter several operating systems and include in the list all the main ones: Windows, MacOS, Android, iOS, Linux. That points out they aren’t just talking about one type of system but patching should be happening on ALL of them.
- Applies to operating systems, EHRs, email software, firmware on routers/firewalls — basically everything.
- They even point out that sometimes you can’t patch something yet because a patch isn’t out BUT that means you need to do other things to mitigate the vulnerability. You don’t get a pass until there is a patch available. The same thing would apply if for some reason a system can’t be updated with a patch right away.
- Regular patching is part of HIPAA’s risk analysis & risk management requirements.
- “Thus, a system hardening process would include regular identification (through the risk analysis process) and mitigation (through the risk management process) of identified vulnerabilities.”
- BTW, they mentioned risk analysis 5 times in this newsletter and risk management 6 times.
- “Patching vulnerabilities is not a one-time event.”
B. Removing or Disabling Unneeded Software, Accounts and Services
- Extra apps might be cute games or messaging apps stuck on a work device — but they’re also attack vectors.
- Some unwanted features (like remote access services) are like leaving the backdoor wide open.
C. Enabling & Configuring Security Features
- This includes turning on and fine-tuning things like multi-factor authentication, audit logs, anti-malware, etc.
- This ties directly to technical safeguards under the HIPAA Security Rule.
- For example, a regulated entity’s risk analysis may determine that multi-factor authentication is required to sufficiently reduce the risk of unauthorized access to certain systems, but it is not available as an included authentication option for the target operating system or software, thus requiring installation and configuration of a third-party multi-factor authentication solution. OCR’s cybersecurity newsletter on HIPAA and Cybersecurity Authentication provides additional authentication examples and more detailed information.
Practical Tips for Listeners
- Start with an asset inventory — know what devices and software you actually have.
- OCR did a cybersecurity newsletter on IT asset inventories back in the summer of 2020. This newsletter references that one
- Subscribe to vulnerability alerts from vendors and NIST/CISA sources.
- Find out what IT is doing to monitor of patches PLUS what systems are they NOT monitoring
- Plan a regular “housekeeping” session for removing stuff no one uses.
- Turn on MFA everywhere you can.
Their concluding paragraph is sending a message all should probably heed. See bold text below:
“System hardening and security baselines can be an effective means to enhance security, and for regulated entities to protect ePHI. However, defining, creating, and applying system hardening techniques is not a one-and-done exercise. Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time. As new threats and vulnerabilities evolve and are discovered, and attackers vary and improve their tactics, techniques, and procedures, regulated entities need to remain vigilant to ensure that their implemented security solutions remain effective. Indeed, for regulated entities, the periodic review and modification, as needed, of security measures implemented under the HIPAA Security Rule is a requirement to maintain protection of ePHI.”
Cybersecurity isn’t about checking a box or installing one magic tool—it’s about staying awake at the wheel. The biggest failures rarely come from elite hackers with movie-style skills; they usually come from outdated systems, forgotten software, and assumptions that someone else is handling it. It’s clear that regulators aren’t asking for perfection, but they are expecting continuous effort: regular patching, system hardening, cleanup of what doesn’t belong, and ongoing review as threats evolve. There may be no finish line in cybersecurity, but paying attention, staying curious, and resisting the “good enough” mindset can make the journey a lot less painful.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
