The tools we deploy. How they map to HIPAA. What happens when something goes wrong.
No "security theater." Every tool listed here is deployed, monitored, and documented. Front Range Health IT doesn't sell security controls — we operate them.
Four tools. Each one doing a specific job.
We don't claim "comprehensive security" and then describe one product. Here's exactly what's deployed and what each tool is responsible for.
Defender for Business provides next-generation antivirus, behavioral detection, and automated investigation and remediation across all enrolled Windows endpoints. Attack Surface Reduction (ASR) rules block common malware delivery techniques — macro execution from email, Office child process spawning, credential theft from LSASS.
Defender is our first line of detection. It covers the majority of commodity malware and is deeply integrated into the Intune compliance and conditional access stack — a non-compliant device can be automatically blocked from accessing Microsoft 365 resources.
Huntress provides what Defender alone can't: human analysts in a 24/7 SOC who investigate suspicious activity and escalate with context, not raw alerts. When Defender detects a behavioral anomaly, Huntress analysts determine whether it's a real attack, a false positive, or something in between — and respond accordingly.
Huntress also monitors for persistent footholds (scheduled tasks, registry run keys, services) that attackers leave behind. This persistence hunting is the layer most practices are missing — ransomware operators often establish persistence weeks before detonating.
DNSFilter intercepts DNS queries before a connection is established — blocking access to malware distribution sites, phishing domains, command-and-control infrastructure, and inappropriate content before any data is sent or received. It applies to all devices on the network and can be extended to roaming users via a lightweight agent.
For healthcare practices, DNSFilter also enforces acceptable use policies — preventing staff from accessing content that isn't appropriate on a clinical network. Reporting shows which devices queried which domains, providing part of the audit trail HIPAA's technical safeguards require.
Acronis provides immutable cloud backups — once written, the backup data cannot be modified or deleted, even by ransomware running on the source machine. Backups run on a defined schedule with defined retention, and recovery point objectives (RPO) and recovery time objectives (RTO) are documented for each practice's critical systems.
Acronis also includes active protection that detects and stops ransomware behavior on the endpoint — separate from Defender, providing a second layer of detection specifically tuned for backup-aware ransomware that attempts to delete shadow copies before encrypting files.
Technical Safeguards — how the controls map
The HIPAA Security Rule's Technical Safeguards (45 CFR § 164.312) specify required and addressable controls for covered entities. Here's how Front Range Health IT's baseline addresses each one. Note: "HIPAA-aligned" means the controls are deployed and documented — it is not a guarantee of compliance, which depends on your practice's full program, not just your IT vendor.
A note on Business Associate Agreements (BAAs): As a covered entity, your practice is responsible for signing BAAs with any vendor that may access or process PHI on your behalf — including vendors like Microsoft, your EHR provider, and billing software. Front Range Health IT helps practices identify which vendor relationships require a BAA and assists with the process during onboarding. A BAA between your practice and Front Range Health IT is included in the client agreement.
| Safeguard (45 CFR § 164.312) | Control required | Front Range Health IT implementation |
|---|---|---|
| Access Control (a)(1)Unique user identification | Each user has a unique account; shared logins prohibited | M365 Entra IDIntune Individual accounts enforced via Entra ID; Intune compliance blocks shared-credential scenarios |
| Access Control (a)(2)Emergency access procedure | Documented procedure for system access in an emergency | Documentation Break-glass account procedure documented and tested during onboarding |
| Access Control (a)(3)Automatic logoff | Session terminates after defined period of inactivity | IntuneEntra ID Screen lock and session timeout enforced by Intune device compliance policy |
| Access Control (a)(4)Encryption / decryption | PHI encrypted at rest on endpoint devices | BitLocker Full-disk encryption with PIN enforced on all Windows devices via Intune |
| Audit Controls (b) | Hardware/software activity logs for systems containing PHI | M365 AuditDefenderDNSFilter Unified audit log in M365 compliance center; Defender behavioral logs; DNSFilter query logs |
| Integrity (c)(1)Authentication mechanisms | Verify PHI has not been altered or destroyed | AcronisDefender Acronis immutable backups detect alteration; Defender file integrity monitoring |
| Person Authentication (d) | Verify users are who they claim to be before access | MFAConditional Access MFA enforced on all M365 accounts; conditional access blocks non-compliant devices |
| Transmission Security (e) | Guard against unauthorized access to PHI in transit | M365 TLSDNSFilter M365 enforces TLS for email and collaboration; DNSFilter blocks unencrypted DNS and known-bad domains |
How we respond to a security incident
A response plan isn't optional for healthcare practices. HIPAA requires both a documented response plan and, in many cases, breach notification. Here's the process:
Detection
Huntress SOC analysts detect the anomaly and alert Front Range Health IT with context: what system, what behavior, what it looks like. Most incidents are detected and triaged before anyone at the practice is aware of them. Front Range Health IT receives the alert with a recommended action, not a raw log dump.
Containment
Affected endpoints are isolated immediately — either automatically by Defender/Huntress or manually by Front Range Health IT. Network isolation prevents lateral movement to other systems. If the practice management server is unaffected, clinical operations can often continue on separate workstations while containment proceeds.
Assessment
Front Range Health IT and Huntress determine the scope: which systems were affected, whether PHI was accessed or exfiltrated, what the attack vector was, and whether any persistence mechanisms were installed. This assessment directly informs breach notification decisions.
Client notification
Front Range Health IT notifies the practice promptly with clear information: what happened, what we know, what we're doing. If there's any indication that PHI was exposed, we communicate that explicitly — not after legal review. You need accurate information to make the right decisions about HIPAA breach notification to HHS and affected individuals.
Recovery
Systems are restored from Acronis immutable backups to a known-good state. Recovery point and recovery time depend on backup schedule and system criticality — both documented during onboarding. Clean systems are verified with Huntress before returning to production.
Documentation
A written incident record is produced covering timeline, scope, response actions, and root cause. This documentation is required by HIPAA and is what your practice needs if HHS investigates. The record stays in your possession — it belongs to you, not to Front Range Health IT.
Questions about your current security posture?
A 15-minute call is enough to start assessing where your practice stands on the HIPAA Technical Safeguards. No obligation, no sales pitch.