Blog
← Back to Blog
April 05, 2024 general

Eight Years: The Same Advice Still Works. That Should Worry You.

Eight year milestone reflection

Eight years ago today, we wrote our first blog post. Our advice: back up your data, patch your systems, use strong passwords. Eight years, hundreds of posts, billions of dollars in damages industry-wide, and the advice hasn't changed.

The largest healthcare data breach in history, Change Healthcare, was caused by missing MFA on a remote access portal. The exact vulnerability we've been writing about since 2016.

On one hand, this means our advice was right. On the other hand, it means nobody listened.

Eight Years of Saying the Same Things

  • "Enable MFA" - Said it in 2016. Change Healthcare proved it in 2024.
  • "Test your backups" - Said it every year. Practices that test survive ransomware. Practices that don't, pay.
  • "Patch your systems" - WannaCry (2017), NotPetya (2017), Equifax (2017), Exchange (2021). All exploited known, patched vulnerabilities.
  • "Train your people" - MGM lost $100 million to a phone call in 2023. Social engineering remains the top attack vector.
  • "Have an incident response plan" - Eight years, and most practices still don't have one.

What Has Changed

The threat landscape has evolved dramatically:

  • Ransomware went from $17,000 demands to $22 million payments
  • AI can generate perfect phishing and clone voices
  • Supply chain attacks can compromise thousands of organizations through a single vendor
  • Every regulated industry now has prescriptive cybersecurity requirements
  • Nation-state cyber warfare is a daily reality

But the defenses that work against these evolved threats? The same five things we've been saying since day one.

The Message for All Regulated Practices

Whether you're a dentist in Phoenix, a doctor in Scottsdale, a lawyer in Tempe, or a CPA in Glendale, the message is the same. It's been the same for eight years:

  1. Enable MFA on everything
  2. Maintain tested, offline backups
  3. Patch within 48 hours
  4. Train your team quarterly
  5. Have a written incident response plan

We'll keep saying it. We hope this is the year everyone finally does it.