1 · Executive summary
Cedar Lane Family Dental maintains a functional, modern environment and a clearly capable team. However, the practice has no current Security Risk Analysis on file and several controls expected by the HIPAA Security Rule are absent or undocumented. We identified 11 findings: 3 high, 5 medium, 3 low. None require major capital expense; most are configuration and documentation gaps that can be closed within 90 days.
2 · Scope & methodology
This analysis followed the HIPAA Security Rule's risk-analysis requirement (45 CFR § 164.308(a)(1)(ii)(A)), structured against NIST SP 800-30. We inventoried systems that create, receive, store, or transmit ePHI; reviewed administrative, physical, and technical safeguards; interviewed staff; and rated each finding by likelihood × impact. The full engagement also includes policy templates and a remediation tracker (omitted from this sample).
3 · Findings & recommendations
| Finding | Risk | Recommendation |
|---|---|---|
| No documented Security Risk Analysis on file | High | Conduct and document this SRA; review annually and after material changes. |
| Front-desk & operatory workstations are not encrypted | High | Enable BitLocker on all Windows endpoints; record recovery keys securely. |
| No MFA on email or the practice-management remote login | High | Enforce MFA on Microsoft 365 and all remote/admin access. |
| Backups exist but have never been test-restored | Medium | Move to encrypted offsite backup; run and log a quarterly restore test. |
| No signed BAA with current IT vendor or copier-lease vendor | Medium | Obtain signed BAAs from every vendor with potential PHI access. |
| Staff share a single Windows login at the front desk | Medium | Issue individual accounts; enable audit logging for accountability. |
| Workstation patching is manual and inconsistent | Medium | Deploy managed patching on a documented monthly cadence. |
| No security-awareness training in the last 12 months | Medium | Run annual HIPAA security-awareness training; keep completion records. |
| Former employee accounts not disabled at termination | Low | Add account de-provisioning to the offboarding checklist. |
| No written incident-response / breach-notification plan | Low | Adopt a one-page IR plan; assign roles and a notification path. |
| Guest Wi-Fi shares the clinical network | Low | Separate guest traffic onto its own VLAN/SSID. |
4 · Remediation roadmap
First 30 days (highs): encrypt all endpoints, enforce MFA, and execute the SRA documentation itself.
31–60 days (mediums): migrate to tested offsite backups, collect outstanding BAAs, individual logins, managed patching.
61–90 days (lows + hardening): staff training, written incident-response plan, network segmentation, and an offboarding checklist.