Hidden gaps, quiet waste, and the changes that made things genuinely better
Most healthcare leaders believe their security and IT programs are running the way they were designed to run. The policies are written. The tools are purchased. The controls on paper, are “in place.”
But is that what is actually happening, day to day, in the organization?
What is true, for most organizations, is that lurking in the space between their cybersecurity programs and reality is misalignment. Controls that exist in a policy but not in practice, investments that overlap or no longer earn their keep, and processes that worked once but quietly eroded while everyone was busy keeping the hospital running.
Here are some of the things I have seen cyber security leaders uncover in their programs during an audit or program rationalization exercise — and what they did about it.
“We have MFA.” But… do we?
After years of audits hammering on the importance of multi-factor authentication (MFA), it has become one of those controls everyone assumes is finished business. But audits keep surfacing MFA in name only.
What leaders have found:
- Large MFA exclusion lists, built up over time to quiet complaints about usability, disproportionately covering physicians and executives (the exact accounts an attacker wants most).
- Enrollments that were “enabled” in the console but had no device actually registered behind them.
- No MFA on privileged remote access, even while standard users were required to use it.
- Wide-open remote email access for the whole organization, left without MFA because of a legacy configuration or a fear of disruption.
In most of these cases, MFA had been “rolled out.” No one had verified coverage, consistency, or enforcement though.
How they fixed it:
- Clear MFA standards by access type: remote, privileged, and clinical systems each treated on their own terms.
- Time-bound, documented exceptions that leadership reviews, replacing a permanent bypass list nobody owns.
- MFA solutions designed around clinical workflows, rather than blanket exclusions that trade security for convenience.
- Metrics that showed coverage, not a single checkbox for compliance.
The biggest shift was the question that leaders began to ask about MFA. They stopped asking “Do we have MFA?” and started asking “Who doesn’t — and why?”
Why are we paying for two SOCs?
When an organization grows fast, merges, or bolts on services one decision at a time, overlapping capability can quietly pile up without anyone deciding it should.
What leaders found:
- Two separate SOC services watching similar logs, alerts, and endpoints.
- Overlapping incident response coverage with no clear owner.
- Duplicate reporting that looked different but said the same thing.
- Staff who weren’t sure which SOC to call when they needed them.
None of it was anyone’s fault. Every contract made sense the day it was signed. What was missing was the moment where someone stepped back and looked at the whole picture at once.
What happened next:
- Moved to a single, consolidated SOC strategy mapped to actual risk.
- Clarified roles between internal teams and external partners.
- Lowered spend without lowering coverage.
- Stronger incident response with a clearer escalation path.
This scenario where an audit or rationalization exercise frees up budget to be spent where the risk really lives is not as rare as you may think.
Why is a terminated employee’s account still active?
Most organizations believe HR offboarding and IT access removal are tightly linked. Audits routinely show it’s worth double checking.
What leaders found:
- IT learning about terminations days, sometimes weeks, after the employee’s last working day.
- Contractors with no formal offboarding notification at all.
- Accounts left active because no signal ever arrived to disable them.
Most often this is simply the result of a process gap that runs across departments, which is precisely why it stays hidden.
What it turned into:
- Defined ownership for termination notifications
- Automation between HR systems and the identity platform.
- Contract language that requires vendors to give offboarding notice.
With high profile cases driving home the organizational risk of a (disgruntled) former employee having access to critical systems, more than a few leaders have said this single discovery justified the entire audit.
How old is that server, really?
Everyone knows legacy systems live in healthcare. What audits reveal is just how far back some of them go, and how invisible they’ve become.
What leaders found:
- A forgotten Windows Server 2003 box still humming along in a corner.
- Multiple Windows Server 2008 systems that were labeled “temporary” years ago.
- Windows 7 clients still in use because a specialized application won’t run on anything newer.
- Asset inventories that were incomplete or simply wrong.
Usually, these systems weren’t purposefully ignored. They were normalized, and year after year they faded into the background until no one saw them at all.
How they solved it:
- Risk-based tracking of legacy systems.
- Compensating controls documented for both auditors and leadership.
- Funding conversations to update hardware rooted in evidence, rather than fear.
- Clear timelines on legacy equipment use, instead of open-ended exceptions.
The audit was the key to turning “we know it’s old” into “we know the risk, and here’s the plan.”
Is your password policy holding up at the helpdesk?
On paper, password complexity policies often look strong, but what if we look at human behavior at the help desk regarding passwords?
What leaders found:
- Helpdesk staff handing out simple, temporary passwords to close tickets faster
- Users who never changed those temporary passwords afterward.
- No technical enforcement requiring a password change at next login.
Well-meaning staff optimizing for service isn’t the wrong policy for a help desk. We should expect usability pressure to always lead to a workaround, and build workflows to make sure even those are secure.
What it turned into:
- Mandatory password-change enforcement at next login.
- Better training and clearer scripts for support staff.
- Safer ways to help a user without ever sharing a credential.
- Leadership recognition that convenience, left unmanaged, quietly erodes the policy.
The point of an audit: alignment, not blame
Even the word audit makes most teams cringe. It sounds like a witch hunt is coming. But across every organization I’ve seen, the audits that worked best shared one thing in common: they weren’t about catching people. They were about seeing reality clearly.
The leaders who got the most out of the process did four things consistently: (1) they asked the uncomfortable questions, (2) they followed each process end to end, (3) they looked across teams instead of inside silos, and (4) they treated every finding as an opportunity for the organization rather than as a failure of an individual.
What they got back was the financial, operational, and reputational wins that matter – better security, stronger operations, smarter spending, and clearer accountability
In healthcare, complexity is inevitable, but blind spots don’t have to be.
