Your Electronic Health Record system holds everything — patient histories, insurance details, Social Security numbers, prescription records. For medical practices across Northern Virginia and Washington DC, the EHR is the most valuable target on your network. And in 2026, attackers know exactly how to get in.
This EHR security checklist is not a generic list of IT best practices. It is a practical, step-by-step guide built for the way medical practices in our region actually operate. Whether you are a solo physician in McLean, a multi-provider group in Fairfax, or a specialty clinic in Arlington, these are the controls that will keep your patient data safe and your practice compliant.
Why EHR Security Requires a Dedicated Checklist
Most medical practices treat their EHR like any other software — install it, log in, use it. But your EHR is fundamentally different from your scheduling tool or your billing platform. It contains Protected Health Information (PHI) covered under HIPAA, and it touches nearly every workflow in your practice.
The challenge for practices in Northern Virginia is compounded by our workforce dynamics. Staff may access the EHR from multiple locations — the main office, satellite clinics, even from home during after-hours call. Each access point is a potential vulnerability.
Reality check: The HHS Office for Civil Rights reported 725 major healthcare breaches in 2023 alone, exposing over 133 million patient records. Most originated from compromised credentials or unpatched systems — exactly the issues this checklist addresses.
The Complete EHR Security Checklist
1. Access Controls and Authentication
This is where most breaches begin. Weak or shared credentials give attackers a direct path to patient data.
- Enforce multi-factor authentication (MFA) for all EHR access — no exceptions, including physicians
- Implement role-based access controls (RBAC) so each staff member only sees what they need
- Disable shared login accounts immediately — every user needs their own credentials
- Set automatic session timeouts to 15 minutes of inactivity
- Require password complexity minimums: 12+ characters, no reuse of last 12 passwords
- Review and revoke access within 24 hours when staff leave the practice
- Audit who accessed which patient records monthly — look for anomalies
NoVA tip: Many practices in our area use Epic MyChart, athenahealth, or eClinicalWorks. All three support MFA natively — but it is often left disabled during initial setup. Check your admin settings today.
2. Network Segmentation and Perimeter Security
Your EHR server should not live on the same network segment as your waiting room Wi-Fi or your front desk computer used for browsing. This sounds obvious, but we see it constantly in practices across the DC metro area.
- Place EHR systems on a dedicated VLAN, isolated from general office traffic
- Separate guest Wi-Fi completely — different SSID, different subnet, no bridge to clinical systems
- Deploy a next-generation firewall with intrusion detection/prevention (IDS/IPS)
- Block all unnecessary outbound ports from the EHR segment
- Implement DNS filtering to block known malicious domains
- Use encrypted VPN connections for any remote EHR access
3. Endpoint Security for Clinical Workstations
Every computer, tablet, and mobile device that touches your EHR is an endpoint that needs protection. In medical practices, these endpoints face unique challenges — they are often in shared spaces, used by multiple staff members throughout the day, and may be running older hardware.
- Deploy managed endpoint detection and response (EDR) on all clinical workstations
- Enable full-disk encryption (BitLocker for Windows, FileVault for Mac)
- Keep all operating systems on supported versions — no Windows 10 past its October 2025 end-of-life
- Auto-patch all workstations within 72 hours of critical security updates
- Disable USB mass storage devices on clinical machines
- Lock workstations automatically after 5 minutes of inactivity
- Install screen privacy filters on any monitor visible to patients or visitors
4. Backup and Disaster Recovery
Ransomware attackers know that medical practices cannot afford downtime. A single day without EHR access means cancelled appointments, delayed prescriptions, and potential patient harm. Your backup strategy is your last line of defense.
- Follow the 3-2-1 backup rule: 3 copies, 2 different media types, 1 offsite
- Back up EHR databases at minimum every 4 hours during business hours
- Store at least one backup set completely offline (air-gapped) — ransomware cannot encrypt what it cannot reach
- Test full restoration quarterly — actually restore to a test environment and verify data integrity
- Document your Recovery Time Objective (RTO) — how long can your practice operate without EHR access?
- Encrypt all backup data in transit and at rest
- Maintain backup logs and verify completion daily
Local consideration: Several Northern Virginia practices we work with use cloud-based EHR systems and assume the vendor handles all backups. This is partially true — but vendor backups protect against their infrastructure failures, not against your account being compromised. You still need independent backups of your data exports.
5. Audit Logging and Monitoring
HIPAA requires you to track who accesses what, when, and from where. But beyond compliance, audit logs are your early warning system for breaches in progress.
- Enable comprehensive audit logging in your EHR — every login, record view, export, and modification
- Forward logs to a centralized SIEM or log management platform
- Set alerts for unusual patterns: after-hours access, bulk record views, access from new locations
- Review logs weekly for anomalies — assign a specific person to this task
- Retain audit logs for minimum 6 years (HIPAA requirement)
- Monitor for failed login attempts and lock accounts after 5 failures
6. Staff Training and Security Awareness
Technology alone cannot protect your EHR if your staff clicks a phishing link or shares credentials. Human error remains the leading cause of healthcare breaches.
- Conduct security awareness training at hire and at least quarterly thereafter
- Run simulated phishing exercises monthly — track who clicks and provide immediate coaching
- Train staff specifically on social engineering attacks targeting medical practices
- Establish clear policies for handling PHI requests — no patient data over email without encryption
- Create a simple breach reporting procedure — staff should know exactly what to do if something looks wrong
- Document all training with sign-off sheets for HIPAA audit evidence
Common EHR Security Mistakes We See in NoVA Practices
After working with medical practices across Northern Virginia and the DC metro area, certain patterns emerge. These are the mistakes that create the most risk:
- Sharing credentials between nurses on the same shift. It saves time, but it eliminates accountability and violates HIPAA access controls. One compromised shared account exposes everything.
- Running EHR on end-of-life operating systems. We still find practices running Windows 10 machines — unsupported since October 2025 — because "they still work." They work until they get exploited through an unpatched vulnerability.
- No network segmentation. The EHR server, the front desk, the billing workstation, and the patient Wi-Fi all on one flat network. An attacker who compromises any one device can reach them all.
- Assuming cloud EHR means secure EHR. Cloud hosting shifts some infrastructure security to the vendor, but access control, credential management, and data governance remain your responsibility.
- Skipping backup restoration tests. Backups that have never been tested are not really backups — they are hopes. When ransomware hits at 2 AM on a Saturday, you need certainty.
Building Your EHR Security Roadmap
You do not need to implement everything on this checklist in a single week. Prioritize based on risk:
- Week 1-2: Enable MFA on all EHR accounts. Eliminate shared credentials. This single step blocks the majority of credential-based attacks.
- Week 3-4: Verify your backup strategy. Test a restoration. Confirm you have an offline copy that ransomware cannot reach.
- Month 2: Implement network segmentation. Move your EHR to a dedicated VLAN. Deploy endpoint protection on all clinical workstations.
- Month 3: Launch staff training program. Set up audit log monitoring. Begin regular phishing simulations.
- Ongoing: Monthly access reviews. Quarterly backup tests. Annual comprehensive security assessment.
HIPAA connection: Every item on this checklist maps to a specific HIPAA Security Rule safeguard. Completing this checklist means you are not just securing your EHR — you are building documented evidence of HIPAA compliance that will serve you well in any audit or breach investigation.
What Makes Healthcare a Unique Target
Medical records sell for 10 to 40 times more than credit card numbers on the dark web. A stolen credit card can be cancelled in minutes. A patient's medical history, Social Security number, and insurance information cannot be changed. This makes every record in your EHR permanently valuable to attackers.
For practices in the Washington DC metropolitan area, the risk profile is even higher. Our region has a high concentration of government employees, military personnel, and executives whose medical information carries additional intelligence value. Practice administrators need to understand that threat actors specifically target the DMV healthcare corridor.
At JPert, we provide managed IT and cybersecurity services specifically for medical practices throughout Northern Virginia, Washington DC, and Maryland. We understand EHR workflows, HIPAA requirements, and the real-world constraints that practices face. Our team can assess your current EHR security posture, identify gaps, and help you implement the controls on this checklist — without disrupting patient care.