The First 10 Controls I Look At When Assessing a Healthcare Startup

    When I start with a healthcare startup, I don't open with frameworks. I open with the same short list of controls — because they tell me almost everything about how seriously a company takes security before anyone says a word.

    Here's roughly what I look at first, and what each one actually reveals:

    • Identity and access management — who can touch what, and can you prove it? Sprawling, undocumented access is usually the first crack.
    • Multi-factor authentication — everywhere, not just on email. The gaps always live in the systems people forget about.
    • Logging and monitoring — if something went wrong at 2am, would you ever know? No logs, no story to tell an auditor or an incident responder.
    • Vulnerability management — do you find your weaknesses before someone else does? Scanning is easy. Fixing on a cadence is the real tell.
    • Vendor and third-party risk — your controls don't stop at your own walls. Your riskiest vendor just became your risk.
    • Incident response — not "do you have a plan," but "has anyone read it since it was written?" A plan nobody rehearses is a document, not a capability.
    • Risk assessments — can you name your top risks and what you're doing about each one? If risk lives only in someone's head, it isn't being managed.
    • Encryption — at rest and in transit, especially anywhere PHI lives. Table stakes in healthcare, and still frequently half-done.
    • Change management — how does code reach production, and who signs off? "We just push it" is an answer that tells me a lot.
    • Security awareness — does the team understand why any of this matters? Culture is a control, even if no framework lists it that way.

    Almost none of this requires a big budget. What it requires is intention — and I can usually tell within the first hour whether a company has it.

    Working toward your first enterprise audit?

    Tell us where you are and what you're building — we'll respond with a clear plan.

    Get a tailored roadmap