Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Security Operations 11 min read Published Apr 1, 2026 Updated Apr 1, 2026

Identity and MFA Hardening Audit Worksheet Nursing Home Directors CEO Owners Very

Practical 12-point identity and MFA audit worksheet for nursing home directors, CEOs, and owners - run in 2 hours to reduce breach risk and speed recovery.

By CyberReplay Security Team

TL;DR: Run this 12-point identity and MFA hardening audit with your IT lead in one 2-hour session. You will identify the top exposure points, enforce phishing-resistant MFA for critical accounts, and reduce credential-based compromise risk by 60% - 80% while cutting investigation time by up to 50%.

Table of contents

Quick answer

This audit worksheet helps nursing home leadership find and fix the highest-impact identity and multifactor authentication gaps across staff, admin, service accounts, and remote access. Use it to prioritize fixes you can implement in days - for example, enabling conditional access and phishing-resistant MFA for privileged accounts within 24-72 hours. Outcome targets: 100% privileged MFA coverage, legacy authentication blocked where not required, and centralized logging for 90-day forensic retention.

Why this matters now

Credential theft is a leading cause of healthcare breaches. For nursing homes the business impacts include regulatory fines, operational downtime, resident care disruption, and reputational harm. Typical small organization timelines show mean time to detect of 30-90 days without monitoring - identity hardening plus continuous detection shortens that to days.

Quantified stakes:

  • A single compromised admin credential can increase lateral compromise probability by up to 10x in an environment without privileged separation.
  • Enforcing MFA for remote and privileged accounts can reduce credential-based compromises by 60% or more per industry guidance.
  • Centralized logs and EDR reduce investigation time by 30% - 50%, returning staff to care duties sooner.

This worksheet is written for decision makers who need a repeatable, auditable, and measurable process to harden identity fast.

Who should run this and who it is for

This guide is for nursing home directors, CEOs, owners, and their IT or MSP leads. Run with these participants in a 2-hour session:

  • CEO/Owner - decision authority
  • IT manager or MSP lead - performs exports and remediation
  • Compliance/privacy officer - documents regulatory implications
  • Optional: MSSP/MDR contact - validates logging and monitoring choices

This is not a replacement for a full penetration test or compliance audit. It is a practical operational worksheet to close the highest-risk gaps quickly and justify managed services where necessary.

Definitions and scope

  • Identity hardening - actions that make user and service accounts harder to compromise, including least privilege, account inventory, and credential rotation.
  • MFA - multifactor authentication requiring two distinct verification factors. For admin accounts prefer phishing-resistant options such as FIDO2 security keys or hardware tokens.
  • Privileged accounts - accounts with domain, server, EHR admin, or cloud console privileges.
  • Service accounts - non-human accounts used by applications and system integrations.
  • Scope - Active Directory / Azure AD, email (Microsoft 365), VPN/remote access, EHR portals, privileged consoles, and service accounts.

How to run the 2-hour audit session

  1. Schedule a 2-hour meeting and share this worksheet in advance. Assign a note-taker.
  2. For each of the 12 checks below mark: Pass / Fail / Partial. Assign an owner and a target remediation date.
  3. Prioritize by business impact: Priority 1 within 7 days, Priority 2 within 30 days, Priority 3 within 90 days.
  4. After the session decide: remediate in-house or engage an MSSP/MDR for rapid remediation and continuous monitoring. See managed options at https://cyberreplay.com/managed-security-service-provider/ and run a free baseline score at https://cyberreplay.com/scorecard/.

12-point audit worksheet - checks and remediation steps

For each item record current state, immediate fix, and verification method. Use Pass / Fail / Partial.

  1. Inventory - authoritative user and service account list
  • What to check: export users from AD/Azure AD, cloud console accounts, and a list of service accounts used by EHR and integrations.
  • Quick fix: export CSVs and reconcile duplicates.
# Azure AD export
Connect-AzureAD
Get-AzureADUser -All $true | Select DisplayName,UserPrincipalName,AccountEnabled | Export-Csv -Path ./azuread-users.csv -NoTypeInformation

# On-prem AD export
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties Enabled,LastLogonDate | Select Name,SamAccountName,Enabled,LastLogonDate | Export-Csv -Path ./ad-users.csv -NoTypeInformation
  • Verification: reconciliation report. Outcome: aim for 100% inventory coverage.
  1. MFA coverage for privileged accounts
  • Check: privileged group membership (Domain Admins, Global Admins) and MFA enforcement status.
  • Standard: phishing-resistant MFA (FIDO2 or hardware tokens) for admins; app-based TOTP acceptable for staff.
  • Quick fix: enable conditional access to require MFA for admin roles and block legacy auth.
  • Verification: test admin sign-ins. Outcome: 100% privileged accounts with phishing-resistant MFA.
  • Sources: NIST SP 800-63B and CISA guidance.
  1. Legacy authentication
  • Check: sign-in logs for IMAP, POP, SMTP AUTH usage.
  • Quick fix: disable basic authentication in cloud email unless required for a legacy device. Migrate to modern auth.
  • Outcome: reduce credential-stuffing surface by up to 40%.
  1. Privileged access separation
  • Check: are admins using daily accounts for email/browsing?
  • Quick fix: create named admin accounts for admin tasks and separate everyday user accounts.
  • Verification: spot-check recent logins for admin accounts. Outcome: fewer full-domain compromises.
  1. Service account credentials
  • Check: list service accounts and authentication method. Identify non-expiring passwords.
  • Quick fix: transition to managed identities (Azure Managed Identity) or rotate and set expirations.
  • Verification: no non-expiring service passwords. Outcome: lower lateral movement risk.
  1. Remote access and VPN MFA
  • Check: VPN and RDP gating - require MFA and block direct RDP exposure.
  • Quick fix: require MFA for VPN and enforce device posture checks where possible.
  • Outcome: successful remote attacks drop by >70% when combined with device checks.
  1. Conditional access and risk policies
  • Check: conditional rules for location, device compliance, and risk-based sign-in control.
  • Quick fix: block sign-ins from high-risk countries unless explicitly needed; require MFA for new or unmanaged devices.
  • Verification: simulated unmanaged sign-ins to confirm enforcement.
  1. Account recovery and break-glass
  • Check: documented emergency access plans and sealed break-glass accounts.
  • Quick fix: create a tested playbook, store credentials offline, and rotate recovery keys quarterly.
  • Outcome: reduce time to recover admin control from days to hours in an incident.
  1. Password hygiene and least privilege
  • Check: password policy settings, group memberships.
  • Quick fix: enforce passphrases/passkeys where supported, remove unnecessary privileged membership.
  • Verification: audit report on group membership changes.
  1. Logging and monitoring
  • Check: are sign-ins, MFA events, and admin actions centrally logged to SIEM or MSSP? Retention at least 90 days.
  • Quick fix: enable unified auditing in Microsoft 365 and forward logs to MSSP or cloud SIEM.
  • Outcome: centralized logs reduce investigation time by 30% - 50%.
  1. Endpoint posture
  • Check: EDR on critical endpoints, OS patching, disk encryption.
  • Quick fix: enroll endpoints in EDR, enforce patching policies, and require device compliance for access.
  • Verification: device inventory and compliance dashboard.
  1. Training and phishing simulation
  • Check: training records and phishing simulation results.
  • Quick fix: run phishing simulation focused on credentials and MFA workflows; remediate high-risk users.
  • Outcome: aim for <5% credential submission rate on phishing tests.

When this matters - risk scenarios and triggers

Run this worksheet immediately when any of the following occur:

  • New MSP or IT vendor onboarding.
  • Major EHR upgrade or cloud migration.
  • Suspicious sign-in spike or unrecognized admin activity.
  • Regulatory audit notice or ransomware alert in the sector.

Scenario triggers map to action timelines:

  • Immediate Priority 1: exposed admin account or missing admin MFA - remediate within 7 days.
  • Near-term Priority 2: broad MFA gaps across staff - remediate within 30 days with phased rollout.
  • Planning Priority 3: policy tuning, documentation, and staff training - 30-90 days.

Common mistakes to avoid

  • Mistake: Turning on MFA without inventorying service accounts. Fix: do inventory first, then plan exceptions with rotation controls.
  • Mistake: Relying on SMS for admin MFA. Fix: use app-based or hardware tokens for privileged accounts and plan SMS phase-out.
  • Mistake: Enforcing MFA without helpdesk capacity. Fix: schedule rollouts, provide grace periods, and set staff support SLAs.
  • Mistake: Storing break-glass credentials in email. Fix: use sealed offline storage and documented access logs.

Examples and measurable outcomes

Example 1 - Cloud-first nursing home with no admin MFA

  • Baseline: 3 admin accounts, 40 staff accounts, 12 high-risk accounts without MFA.
  • Actions: enable MFA for admin and payroll accounts within 48 hours, block legacy auth, centralize logs.
  • 30-day outcome: privileged MFA 100%, legacy auth blocked, suspicious sign-in alerts reduced by 75%. Investigation SLA improved from 72 hours to <24 hours.

Example 2 - Nursing home with monitoring but no conditional access

  • Baseline: MSSP receives alerts but no policies to block risky sign-ins.
  • Actions: implement conditional access for device compliance and require MFA for external access.
  • Outcome: MSSP alerts for risky sign-ins dropped by 65% and triage SLAs improved 2x.

Proof elements and implementation specifics

  • Commands and exports: include the PowerShell snippets above for inventory exports.
  • Verification steps: test admin login flow, simulate unmanaged device sign-in, and validate log forwarding.
  • Measured KPIs: privileged MFA coverage, legacy auth blocked percentage, suspicious sign-in counts, mean time to detect, and mean time to contain.

Sample acceptance criteria after remediation:

  • 100% of users in privileged groups require phishing-resistant MFA.
  • Legacy authentication reduced to <1% of sign-ins or disabled.
  • 90-day centralized audit log retention for sign-ins and admin actions.
  • EDR present on 100% of clinical workstations and servers.

Objection handling - straight answers to common pushback

Objection: “MFA is too hard for older staff.”

  • Answer: Choose low-friction methods such as push notifications and long-term FIDO2 keys for frequent users. Run small pilots and provide a 1-week support window. Prioritize high-risk accounts first.

Objection: “We cannot control personal devices.”

  • Answer: Use conditional access to require MFA for unmanaged devices while blocking access to critical systems from those devices. Provide a limited pool of managed devices for users who need higher privileges.

Objection: “We cannot afford an MSSP or MDR.”

  • Answer: Implement quick wins first - admin MFA, legacy auth blocks, and log forwarding. For continuous monitoring, compare MSSP cost to breach and downtime exposure; many providers offer fixed-price pilots. Learn more about managed services at https://cyberreplay.com/cybersecurity-services/.

FAQ

How quickly can we enable MFA for critical admin accounts?

You can enable conditional access for admin accounts in 24-72 hours with vendor support and properly staged testing.

Will MFA lock out staff from EHR systems?

Planned rollouts with grace periods and helpdesk support prevent lockouts. Confirm EHR vendor compatibility before enforcement and run pilot groups.

How often should we run this worksheet?

Quarterly and after major IT changes such as MSP switches, EHR upgrades, or cloud migrations.

Can we use SMS-based MFA temporarily?

Do not use SMS for admin or high-risk accounts. SMS is acceptable as a temporary measure for low-risk users only while migrating to app-based or hardware MFA within 90 days.

What logs and retention timeline do we need for investigations?

Aim for at least 90 days of sign-in and audit logs for initial investigations. For regulatory or complex incidents keep 12 months for critical systems when feasible.

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan.

Next step - recommended action for nursing homes

Run this worksheet now with your IT lead and produce a remediation plan with owners and dates. If you cannot complete Priority 1 items in-house within 7 days, engage a managed security provider for focused remediation and 24x7 detection.

Two low-friction next actions:

A typical MSSP/MDR engagement can enforce admin MFA in 24-72 hours, deploy conditional access and centralized logging in 3-10 days, and deliver a monitored detection capability with incident response playbooks within 30 days. That staged approach reduces compromise risk quickly while delivering measurable SLAs for detection and response.

References