Situation
A multi-site diagnostic imaging organization handling ePHI across 6 locations had no formal security documentation, no governance structure, and no implemented controls when this engagement began in October 2025. The organization operated on Microsoft 365 Business Premium with no prior security engineering ownership.
The starting state represented significant HIPAA exposure: no incident response capability, no MFA enforcement, no vulnerability management, no logging posture, and AI automation servers with unauthenticated APIs accessible on the internal network.
Starting State — Oct 2025
0 security policies or governance documents
No formal incident response capability
No MFA enforcement or Conditional Access
No vulnerability management program
No logging or monitoring posture
AI servers with unauthenticated APIs exposed
No firewall hardening across 8 sites
Microsoft Secure Score: ~40%
5-Month Checkpoint — Mar 2026
16-document security and governance library
Full IR program: IRP, severity matrix, 7 runbooks
MFA enforced tenant-wide via Conditional Access
VA complete — 3 critical findings same-day
Azure Log Analytics operational, Entra logs forwarded
AI server APIs bound to localhost, Duo MFA on VPN
2 of 8 sites fully hardened, template replicated
Microsoft Secure Score: 96.34%
Approach
The program was structured into four sequential phases, each with defined deliverables and exit criteria. All work was performed by a single security engineer operating within the constraints of Microsoft 365 Business Premium licensing — no Sentinel, no Entra P2, no Defender for Identity.
Phase 0 — Stabilization
Complete
Define program roadmap and phase structure
Freeze new tool deployment — prevent scope sprawl
Establish weekly security engineering cadence
Executive sign-off on self-insurance security model
Phase 1 — Identity, Platform and Governance
Partial
Entra ID deployed as sole identity authority — no hybrid model
MFA enforced tenant-wide; phishing-resistant for admins
Conditional Access: legacy auth blocked, device compliance required
Break-glass governance — offline credential, excluded from CA, monitored
Intune MDM — all endpoints enrolled, compliance policies enforced
Defender for Business EDR in block mode, ASR rules deployed
BitLocker enforced via Intune, recovery keys escrowed to Entra
Purview DLP, sensitivity labeling, retention governance
Azure Log Analytics — Entra diagnostic logs forwarded
Governance library: 16 documents across all HIPAA safeguard domains
Google Workspace audit and SSO consolidation — migration path defined
Phase 2 — Resilience and Incident Readiness
Partial
Incident Response Plan v1.0 authored
Incident Severity and Classification Matrix
7 IR runbooks covering primary threat scenarios
Post-Incident Review Template and HIPAA Breach Worksheet
Internal VA completed — 15 findings, 3 critical remediated same-day
Beazley cyber insurance application completed
Cyber Incident Reserve Fund — proposal built, executive funding pending
Technical Controls Implemented
- Entra ID Conditional Access with named location policies, device compliance requirements, and legacy authentication blocking across all users
- Windows LAPS deployed via Intune — eliminated standing local admin privileges across all managed endpoints
- Defender for Business in EDR block mode with Attack Surface Reduction rules and tamper protection enforced
- Microsoft Purview sensitivity labeling aligned to HIPAA data classification requirements; DLP policies active across Exchange, SharePoint, and OneDrive
- Azure Log Analytics workspace configured for Entra sign-in, audit, and risk log centralization
- M365 Backup covering Exchange, SharePoint, and OneDrive with validated restore capability
- Cisco Duo RADIUS MFA for VPN — Auth Proxy deployed on production Ubuntu server; Meraki MX75 authentication migrated from native auth to RADIUS
Licensing constraint note: All controls were implemented within Microsoft 365 Business Premium. No Entra P2, Sentinel, or Defender for Identity. Architecture decisions reflect real-world budget constraints common in SMB healthcare environments.
Governance Library — Built from Zero
All 16 documents were authored from scratch with no prior templates or frameworks in place. Each document is mapped to the relevant HIPAA Security Rule safeguard section.
- Security and Compliance Governance Summary — §164.308(a)(1) Risk Management
- Identity and Access Security Architecture — §164.312(a)(1) Access Control
- Endpoint Security and Device Governance — §164.312(a)(2) Workstation Controls
- Network and Physical Infrastructure Security — §164.310 Physical Safeguards
- Cloud Monitoring, Logging and Incident Readiness — §164.312(b) Audit Controls
- Data Protection and Compliance Architecture — §164.312(a)(2)(iv) Encryption
- 2026 Security Program Roadmap — Administrative Safeguards Governance
- Incident Response Plan v1.0 — §164.308(a)(6) Security Incident Procedures
- Incident Severity and Classification Matrix — §164.308(a)(6) Companion Reference
- Post-Incident Review Template — §164.308(a)(6) Documentation
- HIPAA Breach Determination Worksheet — 45 CFR §164.402 4-Factor Risk Assessment
- Incident Response Playbook — 7 runbooks covering primary threat scenarios
- Vulnerability Assessment Report v1 and v2 — §164.308(a)(8) Evaluation
Outcomes
- Microsoft Secure Score driven from approximately 40% to 96.34% — 100% Data, 97.54% Apps, 92.15% Identity
- HIPAA/HITECH Compliance Manager score achieved above 80%
- Beazley cyber insurance application completed end-to-end with full technical evidence documentation
- 3 critical vulnerability findings remediated within 24 hours of discovery
- 100% MFA coverage across all users including legacy systems via Duo RADIUS
- Full audit-defensible governance posture established across all HIPAA administrative safeguard domains
- Program on track for July 2026 self-insurance transition target
Need a HIPAA compliance program?
This engagement is available as a structured Tier 3 engagement or Full Stack program. Scoped to your environment and licensing.