Your patients deserve a second opinion. So does your security.
Most small practices rely entirely on their MSP for security — and an MSP can't objectively audit its own work. That's not a knock on IT vendors. It's just how conflicts work.
I help small-to-medium healthcare practices in Northern and Central Indiana get a clear, honest picture of their HIPAA security posture — from someone who isn't trying to sell them anything and isn't the same person who set everything up.
3 Key Problems We Solve
01
Independent risk analysis so your MSP isn't grading its own homework.
02
Verify your protections are real — not just 'we have it' — with simple proof and spot-checks.
03
A decision-ready roadmap so leadership can prioritize fixes, budgets, and accountability — and explain their decisions if OCR ever knocks.
✅
"I'm trusting my MSP — but I don't actually know if we're compliant." Healthcare practice owners rely fully on their IT vendor but have no independent way to verify that HIPAA safeguards are actually in place and working.
✅
"If we get breached, my name is on the door." Small practice owners carry real reputational and financial exposure from a breach or OCR inquiry — yet many have never had a formal risk analysis done.
✅
"We've grown, but nobody ever went back and checked." Practices that have added providers, locations, or systems often have security gaps that were never formally reviewed. The controls didn't keep pace with the practice.
Here's how I'd describe what most small practices are actually dealing with — in plain terms:
"Here's the problem: most IT providers aren't lying to you — they genuinely believe what they're telling you. But a lot of what passes for 'security' in small practices is the IT equivalent of shooting the side of a barn and drawing circles around the hole and calling it a bullseye. They do what they do, slap a label on it, and call it good. Nobody's checked whether any of it lines up with what HIPAA actually requires — or what a real attacker would actually try.
That's not security. That's just a good-looking hole in the barn."
— Tom Polk, CISSP | CCSP | HCISPP | Principal, Northline Advisors
My role is to bring 30+ years of real-world healthcare IT and security leadership alongside you — so you can move forward with clarity, not guesswork. No vendor agenda. No tools to sell. Just an honest picture of where you stand.
Areas of Expertise
HIPAA Security Risk Analysis
Independent, OCR-defensible risk analysis that identifies where ePHI lives and how it could be exposed — delivered as a ranked risk register and a clear 90-day remediation plan.
MSP / Vendor Oversight
Independent review of your IT vendor relationships, contracts, and practices — so you know if the people you're trusting are actually protecting you.
Security Governance
Practical governance programs: policies, evidence binders, ownership assignments, and metrics dashboards that small practices can actually manage.
Incident Readiness
Tabletop exercises, incident response planning, and hands-on coordination support — so the first time you respond to a threat isn't the real thing.
vCISO / Ongoing Advisory
Steady, monthly security oversight for practices that need progress, not a one-time report. Independent leadership that complements your MSP.
Workforce Security Training
Customized HIPAA security awareness sessions tailored to how your practice actually operates — covering phishing, device handling, and breach reporting.
Testimonial
© 2026 Northline Advisors. LL