A security review isn’t something you need to schedule every month. But there are clear signals that your practice has reached a point where going without one is starting to create real risk. This checklist covers the ten most common ones.
Check the boxes that apply to your practice. The count at the bottom gives you a read on where you stand.
Sign 01
You’ve never had a formal security review
If no one has ever done a structured review of your tools, access controls, and policies, you have gaps you don’t know about. That’s not a judgment. It’s just where most small practices start. A baseline is the first step to fixing that.
Sign 02
You have no written security policies
Written policies are not just paperwork. They’re what auditors ask for first, what cyber insurers require, and what gives your staff a clear standard to follow. If yours exist only in someone’s head, they don’t count when it matters.
Sign 03
Former staff still have access to accounts or systems
This is one of the most common gaps in small practices. When someone leaves, their accounts often stay active. An ex-employee with access to your scheduling system, email, or client records is an open door.
Sign 04
Your team shares logins or passwords
Shared credentials make it impossible to know who accessed what, when, and why. If something goes wrong, you have no audit trail. Most compliance frameworks treat shared credentials as a critical finding.
Sign 05
You use personal email accounts for practice business
Personal email accounts aren’t subject to your practice’s security controls, aren’t covered by business associate agreements, and typically lack the logging and recovery features that compliance requires. If client data is moving through a personal Gmail account, that’s a compliance exposure.
Sign 06
You’re not sure what data your cloud tools can access
Scheduling tools, note-taking apps, AI assistants, and communication platforms often have access to more data than their users realize. If you’ve never reviewed what a tool can see or store, you don’t know what’s being shared with third parties.
Sign 07
You don’t have two-factor login turned on for key accounts
Two-factor authentication (2FA) means a stolen password alone isn’t enough to access your account. It’s one of the single most effective security controls available, and it’s free on most platforms. If your email, practice management system, or cloud storage don’t have it enabled, that’s a priority fix.
Sign 08
A compliance audit is coming up and you don’t feel ready
Audit prep done in a rush almost always reveals things that should have been addressed earlier. Starting your review three to six months before an audit gives you time to close gaps and produce documentation that actually holds up, rather than scrambling to explain why things aren’t in place.
Sign 09
You have cyber insurance but haven’t reviewed what it requires
Most cyber insurance policies include security control requirements. If your practice doesn’t meet them, the insurer can deny a claim even after you’ve paid years of premiums. Knowing what your policy requires, and documenting that you’ve met those requirements, is essential before you need to use it.
Sign 10
Your practice has grown or changed significantly in the last two years
New staff, new tools, new locations, new services. Growth creates gaps. Security needs that were manageable when you were a solo practice can become real vulnerabilities once you add people and systems. If your setup has changed significantly, your security review should have kept pace.
Know where you actually stand.
The free Cyber Health Score takes 5 minutes and gives you a scored breakdown of your practice’s security posture, not a checklist opinion.