It's a Monday morning at a busy outpatient imaging center in Houston. The MRI schedule is packed, the PACS system is humming, and the newest member of the front desk team is settling into her second day.
She's still learning the patient intake software. She hasn't memorized the names of referring physicians yet. She isn't entirely sure who handles billing disputes versus who handles insurance authorizations. But she's sharp, she's eager, and she wants to prove she belongs.
Then an email lands in her inbox. It looks like it's from the practice manager. The subject line reads "urgent: patient records request." The message asks her to click a link to verify access to the EHR system. The tone is polite, direct, and specific enough to feel real.
She clicks.
In that moment, nothing visibly changes. No alarms. No pop-ups. But a set of credentials is now in someone else's hands, and a pathway into your practice's protected health information (PHI) has been opened from the inside.
Here's what makes this scenario unsettling: she did exactly what a good employee would do. She responded to what appeared to be a legitimate request from a person in authority, quickly and without pushback, during a week when she had no frame of reference for what "normal" looked like.
New hires don't fail because they're careless. They fail because they're uninformed.
Every outpatient practice, whether it's a diagnostic imaging center, a cardiac testing lab, or a specimen collection site, cycles through new staff regularly. Techs rotate. Front desk coordinators turn over. Per diem employees come and go.
Each time a new person walks through the door, there's a window where they're especially vulnerable. They don't know your internal communication patterns. They don't know that your practice manager never emails requests for EHR access. They don't recognize the subtle signs that a message didn't actually originate from your organization.
Attackers understand this window well. Research from the Keepnet Labs 2025 New Hires Phishing Susceptibility Report found that CEO impersonation emails succeed at significantly higher rates with recently hired employees compared to experienced staff. In healthcare, where access to patient data is immediate and compliance requirements are strict, that vulnerability is amplified.
Is your practice's onboarding creating security blind spots? 
Schedule a quick call to review how new hires get access to your EHR, PACS, and patient data. We'll help you identify where the gaps are and what to tighten up.
This isn’t a hypothetical risk for Houston practices. The HHS Office for Civil Rights has proposed updates to the HIPAA Security Rule that would strengthen requirements around workforce training, access controls, and risk analysis. For outpatient diagnostic providers already managing tight margins and high patient volumes, the regulatory environment is only getting more demanding.
The real problem isn’t the phishing email. It’s the first day.
Think about how onboarding actually works at most small to midsize healthcare practices.
The new hire arrives. Their badge is ready, but their EHR credentials aren’t fully configured yet. Someone offers to let them shadow on a shared login “just for today.” They save a patient form to the desktop because the network drive hasn’t been mapped to their workstation. They use their personal phone to look up a referring physician’s fax number because nobody has shown them where the directory lives.
Your onboarding process is a HIPAA decision
Book a 10-minute conversation to walk through how your practice handles new hire access, credentials, and security orientation. We'll help you spot the gaps before they become a compliance problem
None of these moments feel risky at the time. They feel like problem-solving. Resourcefulness. Getting through a hectic first day without slowing anyone down.
But each one creates a crack. A shared login means an untracked access point for PHI. A file saved locally sits outside your backup and encryption protocols. A personal device touching practice data introduces a variable your security tools can’t monitor. And when nobody walks the new hire through your practice’s communication norms, that phishing email gets the benefit of the doubt.
The HIPAA Security Rule requires covered entities to implement security awareness training for all workforce members. But that requirement isn’t satisfied by a binder on day three or a video link emailed during week two. It’s satisfied by a system that ensures every person with access to your environment understands the basics before they touch patient data.
What structured onboarding actually looks like for a diagnostic practice
Closing this gap doesn't require an elaborate training program or a full day pulled away from clinical operations. It requires three things to be in place before the new employee's first patient interaction.
1. Access is provisioned, not improvised.
The employee's workstation is configured. Their EHR credentials are created with role-appropriate permissions. Their email account is active, with multi-factor authentication enabled. There is no need to borrow someone's login, no reason to work around a system that isn't ready. This step alone eliminates a surprising number of the security gaps that develop during a chaotic first week.
For practices running PACS, RIS, or other diagnostic imaging platforms alongside their EHR, this also means verifying that each system's access controls are correctly scoped. A new front desk coordinator shouldn't have the same permissions as a radiologist, and temporary workarounds have a way of becoming permanent if nobody revisits them.
2. Communication norms are explained in 10 minutes, not assumed over 10 weeks.
This doesn't need to be a lecture. It's a short, specific conversation: here's how our practice manager communicates internally. Here's how IT requests come through. Here's what a legitimate EHR access prompt looks like compared to a phishing attempt. If you receive a message that feels unusual, here's what to do and who to ask.
This kind of orientation gives the new hire a baseline. Without it, every internal email is equally plausible, and every request from an authority figure feels like something that should be obeyed without question.
3. There's a clear, safe path for asking questions.
The employee who clicked that phishing link might have paused if she'd known who to call. Most first-week mistakes happen silently because new hires don't want to seem inexperienced. In a healthcare environment where everyone is focused on patient throughput, asking "Is this email real?" can feel like an interruption.
Give new staff a specific person to reach out to with IT or security questions. Make it clear that asking is expected, not a sign of incompetence. Practices that build this into their onboarding culture catch problems early instead of discovering them during a
HIPAA compliance isn't a checkbox. It's a daily operating standard.
For outpatient diagnostic providers, the stakes around workforce security are especially high. Your practice handles imaging studies, lab results, cardiac diagnostics, and other data that qualifies as PHI under HIPAA. A single compromised credential can expose records across your EHR, your PACS, and any connected systems.
The financial consequences are real. HIPAA violation penalties can reach into the millions, and the HHS Office for Civil Rights has increased its enforcement activity in recent years. But for most practice owners, the deeper concern is the trust your patients and referring physicians place in you. A breach notification letter doesn't just carry a fine. It carries a reputational cost that's difficult to measure and harder to recover from.
The good news is that the most effective protections are also the most practical. Structured onboarding, properly scoped access controls, and a culture where employees feel safe flagging something unusual: these aren't expensive initiatives. They're operational habits that reduce risk while actually making your practice run more smoothly.
Your practice might already be doing most of this well.
Maybe your onboarding process is tight. Maybe your team is small enough that new hires get personal attention from day one. But if you've ever had someone log in with a shared credential during their first week, or if you're planning to bring on staff this summer, it's worth taking 15 minutes to walk through the basics before their first shift starts.
The phishing email that targets your newest team member isn't going to wait for orientation to finish.
At Expert Computer Solutions (ECS), we work with outpatient diagnostic practices and healthcare providers across the Greater Houston area to build IT environments where compliance and security are woven into daily operations, not bolted on as an afterthought. From EHR access controls and endpoint protection to HIPAA-aligned onboarding protocols and ongoing security awareness training, our team understands the specific workflows and regulatory requirements your practice navigates every day.
Want to talk through how your onboarding process holds up from a security perspective?
Schedule a free IT consultation with our team. No pressure, no jargon. Just a conversation about what protection looks like for your practice.
