Building a Healthcare Security Program from scratch

Ibraheem Nashif

5 min read
Building a Healthcare Security Program from scratch
" Impression Sunrise" by Claude Monet

Why Build From the Ground Up?

What better way to learn than to build something from the ground up?

If a system is not designed to be risk-averse and resilient from inception, it rests on fragile foundations. Systems built reactively, patched, extended, or bolted on over time, inevitably collapse under their own weight. You do not build the foundation of a future mansion using primitive materials.

Much of modern cybersecurity focuses on tooling: building new controls, expanding existing platforms, or layering solutions on top of poorly understood environments. Too often, this happens without first understanding the structure itself, how systems interact, where trust boundaries exist, and why regulatory constraints are in place.

Those constraints exist for a reason.

In the modern economy, data is currency. The companies many people speculate on or entrust their retirement savings to would be functionally helpless without it. But data only retains value when it is handled responsibly. When organizations fail to secure sensitive information through proper controls and governance, they invite regulatory penalties, public backlash, and irreparable loss of trust.

Once an organization is entrusted with personal data, especially sensitive data, it enters a power relationship with its users. That relationship carries responsibility. Security is not optional; it is a duty.

History makes this clear. Legislative fines, breach disclosures, and reputational collapses repeatedly show what happens when security is treated as an afterthought. Risk awareness must be embedded into every layer of an organization, technical, operational, and human.

Why Healthcare?

When I began this project, I deliberately chose healthcare.

Healthcare data is among the most regulated and sensitive information in existence. Under HIPAA, organizations are legally obligated to protect not just data, but the people behind it. Healthcare security is where every concern collides at once:

  • Patient safety
  • PHI confidentiality
  • System uptime
  • Regulatory compliance
  • Third-party and vendor risk

A failure here does not only mean reputational damage or fines; it can mean loss of life.

To explore this fully, I designed a fictional urgent care clinic, MedLine, and built a complete, end-to-end security and risk management program as if I were the internal security analyst preparing the organization for audits, incidents, and real-world attacks.

The system was designed head to toe, including how to respond when things go wrong, while ensuring HIPAA obligations were fully accounted for, documented, and defensible.

The Environment I Modeled

MedLine is a small-to-mid-sized urgent care clinic with:

  • A hybrid EHR environment (cloud EHR with local integration servers)
  • Windows workstations used by clinical and administrative staff
  • Medical and IoT devices (EKGs, vitals monitors, imaging systems)
  • Staff and guest Wi-Fi networks
  • VPN-based remote access
  • Multiple third-party vendors (EHR, billing, labs, imaging, MSPs)

Every system that touched PHI was included. No abstractions. No exclusions.

What I Built

1. Threat Modeling (STRIDE + Attack Paths)

I began by modeling how the clinic could realistically be compromised.

Instead of listing abstract threats, I mapped actual attack paths, including:

  • Phishing → credential theft → VPN → EHR → PHI exfiltration
  • Evil Twin Wi-Fi → session hijacking → EHR access
  • IoT device exploitation → lateral movement → ransomware
  • Vendor breach → API abuse → PHI exposure
  • Insider misuse → privilege escalation → data manipulation

Using STRIDE forced me to think in categories of failure, not just malware. This included spoofing, repudiation, privilege abuse, and trust violations.

Key lesson:
Most breaches are not advanced. They are chains of small failures that compound, and compounding is what leads to collapse.

2. HIPAA-Aligned Risk Assessment

From the threat model, I built a formal risk assessment, including:

  • Asset inventory (PHI, systems, personnel, vendors)
  • Threat and vulnerability registers
  • Qualitative likelihood and impact scoring
  • A finalized risk register with prioritized findings

Five risks emerged as high, including:

  • Phishing exposure with no security training
  • Flat or weakly segmented networks
  • Ransomware risk from outdated systems
  • Backup and recovery failures
  • IoT devices sharing trust boundaries with staff systems

Key lesson:
Risk is not about severity alone. It is about context, including PHI exposure, patient care impact, and operational downtime.

3. Incident Response Program (Not Just a Plan)

Building an incident response program without an incident felt incomplete, like throwing darts without a board. Alongside the incident response program, I also simulated incidents.

The incident response program included:

  • Severity classification (Low to Critical)
  • NIST-aligned incident response lifecycle
  • Defined roles across Security, IT, Compliance, Privacy, Leadership, and Vendors
  • Evidence handling and chain-of-custody procedures
  • HIPAA breach analysis and notification logic
  • Metrics such as MTTD, MTTR, and containment time

Incident simulations produced artifacts including:

  • Detailed timelines
  • MITRE ATT&CK mappings
  • Root-cause analysis
  • Lessons learned

Key lesson:
Incident response is governance under pressure, not just technical cleanup.

4. Vulnerability Management Workflow

Instead of scan and patch, I designed a real vulnerability management lifecycle, including:

  • Asset ownership and PHI classification
  • CVSS scoring adjusted for business context
  • SLA-based remediation timelines
  • Exception and risk acceptance workflows
  • Medical device and FDA constraints
  • Vendor-managed vulnerability handling
  • Executive and compliance reporting

This clarified one thing immediately.

Key lesson:
Security work is mostly coordination, prioritization, and documentation. You are not under attack 24/7, but you must operate as if you could be.

5. Full Security Policy Suite

Finally, I wrote a complete, audit-ready policy suite, including:

  • Acceptable Use
  • Password and Authentication
  • Access Control
  • Incident Response
  • Data Protection and Encryption
  • Vendor Risk Management
  • Backup and Disaster Recovery

Each policy defined purpose, scope, roles, enforcement, and revision control. These are the elements auditors actually review.

Key lesson:
Policies are not bureaucracy. They are how intent becomes enforceable behavior.

What This Project Taught Me

  1. Security Is a Risk Function First
    Tools matter, but risk framing matters more. If leadership cannot understand why something matters, it will not be fixed.
  2. Healthcare Security Is Operational Security
    Downtime, misconfigurations, and rushed workflows can harm patients and reputations, not just data.
  3. Vendors Are Part of Your Attack Surface
    You do not outsource risk. You inherit it.
  4. Documentation Is Power
    Logs, policies, workflows, and evidence are what protect organizations legally and operationally after an incident.
  5. GRC Is Not Soft Security
    It is the layer that aligns technical reality with law, governance, and business survival.

Why I’m Publishing This

I am building toward roles at the intersection of:

  • Cybersecurity
  • Risk management
  • Compliance
  • Insurance and cyber underwriting

This project represents how I think, not just what I know.

If you are a recruiter, auditor, security leader, or underwriter reading this, this is how I approach problems: systemically, end to end, and grounded in risk. Risk is not theoretical. It is an everyday condition, and it must be met head-on, deliberately, and prepared.

GitHub - nashif01/MedLine-GRC-Project: The programs,audits and actual paperwork of my MedLine lab
The programs,audits and actual paperwork of my MedLine lab - nashif01/MedLine-GRC-Project
GitHubnashif01

Read more