/ The problem
The practice was running on a single Windows server with all patient records, no off-site backup, a consumer modem-router pretending to be a firewall, and inconsistent multi-factor authentication across staff Microsoft 365 accounts. Their professional indemnity insurance renewal was coming up and the questionnaire had a 'minimum cyber security controls' section they couldn't honestly tick.
/ What we did
- 01On-site audit on a Wednesday afternoon — full inventory of devices, accounts, backup state, network topology and email security records.
- 02Rolled out MFA across every Microsoft 365 mailbox + every clinical-software login, on a Saturday so no patient appointments were affected.
- 03Replaced the consumer modem-router with a Watchguard Firebox configured with segmented guest Wi-Fi (so patients in the waiting room can't see clinical machines).
- 04Set up off-site immutable backups of the server to Microsoft Azure Backup, with restore-tested encryption.
- 05Configured SPF, DKIM and DMARC on the practice domain to stop spoofed appointment-reminder emails.
- 06Trained the practice manager in plain English on the new MFA prompts, how to spot a phishing email, and what to do if they suspect a breach.
/ The outcome
MFA coverage
0%→100%
Off-site backup integrity
None→Daily, restore-tested
Insurance questionnaire
Couldn't tick→Fully compliant
Total downtime
—→0 weekday hours
"The renewal questionnaire was the trigger but the peace of mind is the result. Honest, plain English, no upselling."