§ 02 What we measure

The eight controls underwriters are asking about.

Drawn from current applications by Beazley, Coalition, Chubb, Travelers, and Hartford, and from the public advisory guidance of Aon, Marsh McLennan, and CISA. The wording varies by carrier; the questions are consistent. The Implemented, inside a small practice blocks below use the carriers' own vocabulary and are written to be forwarded directly to the client's IT vendor. The 8th control — Business Associate oversight and funds-transfer integrity — is rendered here in its healthcare form; the law and CPA briefs render the same control as IOLTA / closing controls and WISP vendor-oversight, respectively.

Read the healthcare brief All sector briefs

Control 1 of 8 · Identity & access

Multi-Factor Authentication

The question.: Is MFA required on email, remote access, virtual private network (VPN), cloud applications (including the practice management system and electronic health record (EHR)), and every administrative account?
Why it matters.: MFA blocks most credential-theft attacks. Verizon's 2025 Data Breach Investigations Report (DBIR) links credential abuse to 75% of system-intrusion breaches; Microsoft's published data indicates MFA prevents 99.2% of account compromise attacks. The Change Healthcare attack, the largest healthcare breach in U.S. history, traces back to a single Citrix account without MFA enabled.
Implemented, inside a small practice.: MFA enforced on Microsoft 365 or Google Workspace email for every user, owner-providers included; on the practice management system (Dentrix, Eaglesoft, eClinicalWorks, Athena) where the vendor supports it; on remote access (VPN, remote desktop, anything reached from home or a second office); and on cloud backups, cloud storage, and the firewall administrative console. App-based authenticators or hardware tokens, because SMS-based MFA is no longer acceptable to many carriers in 2026. CISA recommends phishing-resistant MFA (FIDO2 / WebAuthn) for privileged accounts.
Common gaps.: Practice management vendors whose SaaS login does not support MFA at all. Shared front-desk logins with a single password. Administrative accounts on the firewall or server that the previous IT vendor set up and never tightened.

Control 2 of 8 · Endpoint security

Endpoint Detection and Response

The question.: Is EDR, not traditional antivirus, deployed on every workstation, laptop, and server?
Why it matters.: At-Bay's 2025 InsurSec Rankings Report, built on more than 100,000 policy years of claims data, found that every company in its dataset that avoided ransomware encryption had a professionally managed EDR solution in place. Traditional antivirus is signature-based and cannot detect modern ransomware, fileless attacks, or living-off-the-land techniques. EDR monitors endpoint behavior continuously, detects anomalies, and can isolate an infected device before ransomware spreads. Carriers have moved EDR from a recommended control to a binding requirement. Underwriters look for named products: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint (business tier), Sophos Intercept X. Windows Defender at the consumer tier does not qualify.
Implemented, inside a small practice.: EDR agent on every workstation, laptop, and server, no exceptions. A managed dashboard monitoring alerts, not installed and forgotten. A monthly coverage report showing 100% agent health. An automatic isolation policy so an infected host is quarantined from the network without human intervention.
Common gaps.: The legacy workstation running an imaging or lab system that cannot run Falcon, which is exactly the host an attacker compromises first. The home laptop the office manager uses for weekend billing. The new device the associate brought in last month.

Control 3 of 8 · Resilience

Immutable and Tested Backups

The question.: Are backups immutable or air-gapped, tested for restore, and protected by MFA on the administrative console?
Why it matters.: Coalition reports that 94% of organizations hit by ransomware saw threat actors actively target backups during the attack. If an attacker can delete or encrypt the backups, the practice has no recovery path except paying the ransom. Coveware's Q4 2025 data shows the average ransom payment reached $591,988 while the payment rate fell to a record low of about 20%. Attackers are asking more from fewer victims.
Implemented, inside a small practice.: Automated daily backups of all practice data, documents, imaging, and configuration. At least one copy stored immutably or offline, not on a USB drive plugged into the same server. The 3-2-1 rule: three copies, on two media, with one offsite. Backups tested with an actual restore at least quarterly. MFA required to administer the backup system. Documentation of the last successful restore test.
Common gaps.: Backups running to a NAS on the same network. "Cloud backup is running" with no verified restore in 18 months. Backup console credentials identical to the domain admin password.

Control 4 of 8 · Preparedness

Written and Tested Incident Response Plan

The question.: Is there a written incident response plan specific to cyber events, tabletop-tested within the last twelve months?
Why it matters.: Underwriters have learned that organizations without an incident response (IR) plan make the breach worse in the first 48 hours: paying ransoms they should not, destroying evidence, missing HIPAA's 60-day notification window, triggering unnecessary disclosures. With 2026 breakout times measured in minutes, the pre-incident decisions (who to call, what to shut down, what to preserve) have to be made now, because they cannot be made in the moment.
Implemented, inside a small practice.: A 5–15 page document specific to the practice: who gets called first, in what order, with what phone numbers; a decision tree for shutting systems down vs. preserving for forensics; breach notification timelines under HIPAA and state law; communications templates for patients, staff, and media. An annual 90-minute tabletop with owner, office manager, and IT vendor. On-file contact information for outside counsel, forensic firm, and carrier.
Common gaps.: No plan at all. A generic 80-page template nobody has read. A 2021 plan still referencing a former office manager and a phone system replaced two years ago.

Control 5 of 8 · Human layer

Email Security and Awareness Training

The question.: Is there advanced email filtering beyond the default Microsoft 365 or Google Workspace settings, and do all staff complete awareness training at least annually with simulated phishing?
Why it matters.: Phishing remains the most common initial access vector for healthcare breaches, accounting for 16% of incidents as of September 2025. KnowBe4's 2024 benchmarking found that 41.9% of healthcare employees failed a baseline simulated-phishing test before training, the highest rate of any major industry sector. AI has made these campaigns both more credible and far cheaper to run: IBM X-Force assembled a working spear-phishing campaign in five minutes and five prompts, a task that took human experts sixteen hours.
Implemented, inside a small practice.: Email filtering beyond native defaults (Proofpoint Essentials, Mimecast, Barracuda, Microsoft Defender for Office 365). External sender warnings enabled. DMARC, SPF, and DKIM properly configured on the practice domain. Annual training by every staff member with completion certificates retained. Quarterly simulated phishing with tracked click rates and targeted follow-up.
Common gaps.: Default M365 filtering only. Training done three years ago and never repeated. The owner excused from phishing tests because they are too busy.

Control 6 of 8 · Vulnerability management

Timely Patch Management

The question.: Are critical security patches applied within 30 days of release, and is there a process to replace end-of-life software?
Why it matters.: Exploited vulnerabilities are now the most common technical root cause of healthcare ransomware, used in 33% of incidents per Sophos' 2025 report. This is the first time in three years the top cause was not credential theft. Unpatched edge devices (VPN appliances, firewalls, and remote-access gateways) drove the shift: At-Bay recorded a 300% increase in Akira ransomware cases involving a single SonicWall vulnerability in Q3 2025 alone.
Implemented, inside a small practice.: A monthly patch cycle for workstations, servers, and network equipment. An out-of-band process for critical patches (applied within 7–14 days). An inventory of all software with end-of-life (EOL) dates. A plan to replace EOL operating systems before support ends. Windows 10 reached end-of-support on October 14, 2025, so practices still running it in April 2026 are a major underwriting flag. A quarterly vulnerability scan.
Common gaps.: The server that has not rebooted in 18 months because it might not come back up. The lab workstation on Windows 7 because the imaging vendor never certified on 10. The firewall three major firmware versions behind.

Control 7 of 8 · Governance & compliance

Written Security Risk Analysis

The question.: Has a Security Risk Analysis (as required by the HIPAA Security Rule) been conducted within the last twelve months, with a written Plan of Action & Milestones addressing identified gaps?
Why it matters.: Risk analysis is the control underwriters use to assess whether the other six are actually being managed. It is also independently required by the HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A). Enforcement against this requirement has accelerated sharply. The Office for Civil Rights (OCR) Risk Analysis Initiative, launched in October 2024, has produced twelve enforcement actions in eighteen months, with Clearwater reporting inadequate risk analysis involved in approximately 90% of all Security Rule enforcement actions. The MMG Fusion settlement of March 2026, a dental-software business associate (BA) fined $10,000 after exposing roughly 15 million individuals' PHI, demonstrates that OCR does not exempt small organizations; the fine was reduced for financial condition but not waived.
Implemented, inside a small practice.: A 20–40 page written analysis mapping the practice against the Security Rule's administrative, physical, and technical safeguards. A prioritized Plan of Action & Milestones: gaps, remediation actions, owners, target dates. Updated annually and on significant IT changes. Signed by the practice owner or designated Security Officer.
Common gaps.: A four-page checkbox risk analysis from 2019 that the previous IT vendor filled out. No analysis at all. An analysis that identified gaps three years ago and nothing has been done.

Control 8 of 8 · Funds-transfer integrity

Business Associate Oversight and Funds-Transfer Integrity

The question.: Is there a Business Associate (BA) inventory with risk-assessed oversight for every service provider that touches PHI, and a written dual-channel wire-verification procedure enforced on every payroll, vendor, and equipment transfer?
Why it matters.: The Change Healthcare attack of February 2024, which compromised the PHI of 193 million individuals through a single BA, is the reference ceiling for what a vendor compromise costs the sector. The HIPAA Security Rule codifies the oversight obligation at 45 CFR § 164.308(b)(1) and 45 CFR § 164.314(a), but a signed Business Associate Agreement (BAA) on file is not the control carriers credit; what they credit is an inventory that names every BA, a risk tier per BA, and a documented re-assessment cadence. On the funds-transfer half, Coalition's 2026 data puts BEC and funds-transfer fraud at 58% of all cyber claims and FTF alone at 27%; for a small healthcare practice the exposure is not client-wire fraud but procurement fraud — a re-routed payroll deposit, a changed revenue-cycle remittance, a spoofed equipment invoice. A written callback step with a pre-shared verification code closes the dominant outbound-wire loss pattern at effectively zero technology cost.
Implemented, inside a small practice.: A BA inventory listing every service provider touching PHI: EHR, practice-management, medical billing and revenue-cycle, imaging and PACS, e-prescribing, patient portal, secure-messaging, payment processor, IT MSP, and backup provider. A signed BAA with each, with executed date and renewal anchor. A risk tier per BA (MFA, EDR, encryption, incident-notification terms), re-assessed annually and after any reported vendor incident. A written wire-verification procedure: callback to a pre-registered vendor phone number (never to a number from the inbound email), dual approval above a stated threshold, out-of-band confirmation for any same-day instruction. Wire-fraud incidents reported to the carrier within 72 hours.
Common gaps.: A BAA binder from 2019 that does not include the MSP, the billing vendor, or the new patient-portal service because "they told us they were HIPAA-compliant." No BA inventory at all. Wire instructions verified by reply email only. Payroll-deposit changes approved by a single staff member because the email matched the HR contact's style.

Each control above is one plate in the full written risk analysis. In a Tier-1 engagement the eight plates become the body of a 20–40 page document, the findings flow to a Plan of Action and Milestones, and the whole package is signed by the practice owner or designated Security Officer.

Refer a client or request a scoping note Read the sector briefs