IAM ▾

Identity & Access Management

IAM Overview Privileged Access Management Single Sign-On (SSO) Multi-Factor Authentication Zero Trust Security Role-Based Access Control Okta Implementation Microsoft Entra ID SailPoint IGA Cloud Identity Solutions IAM Integrations

Services ▾

Cyber Security

Security Assessment & Audit Vulnerability Assessment Penetration Testing Endpoint Security Network Security Threat Detection & Response AI Security Services

Managed Services

Managed IT Security SOC Services Cloud Security

Compliance

Compliance & Certifications HIPAA PCI DSS SOC 2 ISO 27001 GDPR ISO 22301 Risk Assessment & Gap Analysis Policy & Documentation

Consulting & Strategy

Cybersecurity Consulting IT Strategy Virtual CISO Security Awareness Training

Industries ▾

Healthcare

Healthcare Cybersecurity HIPAA Compliance AI Threat Defense

Financial Services

Financial Services Security PCI DSS Compliance SOC 2 Compliance

Government

Government Cybersecurity CMMC Compliance Penetration Testing

Education

Education Cybersecurity Security Awareness Training Ransomware Defense

Small & Mid-Size Business

SMB Cybersecurity IAM for Small Business Penetration Testing

Resources ▾

Learn

Blog E-books & Guides Whitepapers

Explore

Case Studies

Company ▾

About Us Careers Contact

Get in touch

IAM & Identity Management

Full IAM Overhaul: 35-Person Accounting Firm

How garrisonOne helped a multi-location medical group eliminate shared EHR credentials, unify identity across three sites, and pass a HIPAA access control audit: in 8 weeks.

Locations unified

100%

HIPAA audit passed

Zero

Shared EHR logins

8 wks

Full deployment

Client overview

Industry

Healthcare / Medical Practice

Staff

62 staff across 3 locations

Locations

Pacific Northwest, USA

Service

HIPAA IAM & EHR Access Control

Engagement

8-week phased rollout

The challenge

Three clinics, zero unified access controls: with a HIPAA audit approaching

A growing medical group with three clinic locations had never unified their identity infrastructure. Each location ran its own local accounts, staff shared EHR credentials for convenience, and there was no central visibility into who could access patient records: a direct HIPAA compliance exposure.

Shared EHR credentials

Clinical staff sharing logins: no individual accountability

No MFA enforced

Zero multi-factor auth on EHR, email, or remote access

3 disconnected AD environments

No central management across the three clinic sites

Former staff still active

Ex-employees and contractors retained full EHR access

HIPAA audit approaching

Access logs incomplete and controls undocumented

Over-privileged admin access

Admin staff had same EHR access level as physicians

What we did

A phased 8-week HIPAA IAM deployment

Scoped around the practice's clinical schedule: no system downtime, no disruption to patient care.

Weeks 1 to 2

Access Audit

Full inventory of all user accounts, EHR roles, shared credentials, and inactive accounts across all three locations.

Weeks 3 to 4

Directory Unification

Consolidated three AD environments into Microsoft Entra ID with role-based groups aligned to clinical job functions.

Weeks 5 to 6

MFA & SSO Rollout

Deployed MFA on EHR, email, and remote access. Configured SSO to reduce login friction for clinical staff.

Weeks 7 to 8

HIPAA Documentation

Produced access control policies, audit log procedures, and role documentation ready for HIPAA review.

Individual accounts for all 62 staff: shared credentials eliminated

EHR role-based access mapped to clinical vs. administrative functions

MFA enforced across EHR, email, and VPN at all three sites

17 inactive accounts deprovisioned before HIPAA audit

SSO configured: staff log in once for all approved clinical apps

Access control policy and audit log procedures handed to practice administrator

Outcomes

Results that went beyond the audit

The practice entered its HIPAA audit cycle with documented controls in place for the first time.

Passed

HIPAA access control audit

Access controls fully documented: no findings related to identity or access during the review.

Zero

Shared EHR logins remaining

Every clinician and admin has their own individually authenticated account.

Ghost accounts removed

Former staff and contractors fully deprovisioned: access exposure closed before the audit.

100%

MFA coverage on clinical systems

Multi-factor auth enforced across EHR, email, and remote access at all three sites.

Unified identity platform

Single Entra ID managing access for all 3 locations: one place to provision and deprovision.

1 login

SSO reduces login burden

Clinical staff authenticate once and access all approved systems: no password fatigue.

Need HIPAA-aligned access control for your practice?

We build IAM programs sized for healthcare organizations: from single-site practices to regional groups. Typically deployed in 6 to 10 weeks.

View IAM Services

Industry: Financial Services Cybersecurity | All Case Studies

Full IAM Overhaul: 35-Person Accounting Firm

Three clinics, zero unified access controls: with a HIPAA audit approaching

A phased 8-week HIPAA IAM deployment

Results that went beyond the audit

Need HIPAA-aligned access control for your practice?

Ready to Strengthen Your Cybersecurity Posture?