2026 Routine Security Checklist

By FRG Editor | February 6, 2026
routine security checklist

Through regular reviews, Financial Recovery Group ensures the security of its systems and compliance with HIPAA regulations, as well as HITRUST and SOC.

Set your 2026 calendar to keep up with best practices in technology risk management throughout the new year!

Annual Reviews

General Annual Reviews

  • Look at all the vendors you rely upon to ensure your company is getting the services it requires. During this procedure, FRG reviews SOC reports and other materials (HITRUST certification, ISO/IEC 27001 certification, etc.)
  • Review your information security program with upper management, going over improvements and accomplishments, and noting any issues or concerns. 
  • Review your asset inventory to ensure it is correct and includes the location of all physical assets.
  • Conduct an internal security risk assessment and report the findings to upper management for problem remediation.
  • Bring policies and procedures up to date, then distribute revised documents internally.

External Penetration Test

External penetration testing offers a proactive, authorized security assessment simulating real-world cyberattacks on an organization’s internet-facing infrastructure. Results from a qualified third-party penetration test should inform action by your Security & Compliance team.

HIPAA Training

Third-party HIPAA training adds to and elevates ongoing security training at organizations that handle sensitive payer and provider data. Annual HIPAA training is crucial to maintain a “culture of compliance” and to keep up with evolving technology and regulatory updates.

Biannual Reviews

Compliance Reviews

Security program reviews ensure adherence to data protection standards. For FRG, those include SOC 2 and HIPAA. Consider running one general and one technical compliance review each year to audit security controls, manage vendor risk, and review employee access to sensitive data.

Website Assessment Test

Website Assessment Tests, conducted twice a year by a qualified third party, evaluate a website’s performance, accessibility, security, SEO, and usability to improve traffic and user experience.

Monthly Reviews

Internal Vulnerability Scan

Internal Vulnerability Scans identify security weaknesses from inside an organization. This assessment aims to uncover easy-to-guess passwords, inadequate perimeter defenses, outdated or ill-maintained software that offer breach opportunities, and unauthorized system access points, such as malware. In addition to checks on software and IT services, Internal Vulnerability Scans look at hardware, including servers, employee workstations, and devices.

Monthly Security Awareness Training

Employees likely need a fresh look, too, to meet your organization’s Incident Response and Business Continuity/Disaster Recovery Plans. You can do this with employee training and tabletop exercises — simulations of cyber crises that test employee awareness of your plans and agility to act. Indecision or confusion in these hypothetical experiences points to opportunities to revise standard procedures for specific departments or user groups.  

Biweekly Reviews

Log Reviews

A Security Information and Event Management (SIEM) solution pulls together logs and alerts from across your IT infrastructure for comprehensive, auditable reporting. Centralized management of this data enables your Security and Compliance functions to respond rapidly to issues. To optimize your organization’s security during routine operations, the SIEM owner may review the logs every other week to look for security anomalies. 

Network Device Reviews

Regular internal scans of your network look for any potential issues with the configuration of firewalls, routers, and switches. Configuration should comply with hardening standards — industry-supported guidelines for securing IT systems — such as CIS Benchmarks and NIST Zero Trust Architecture. Take this opportunity to:

  • Review firewall rules and access control lists for outdated or redundant rules that expose the network
  • Disable insecure protocols — think HTTP and telnet
  • Delete unused services, such as FTP and TFTP accounts

Weekly Reviews

Antivirus/Anti-malware Check

If, like FRG, your organization has a system that alerts you of potential malicious acts, make sure it’s working as intended.

FRG’s Commitment to Security and Compliance

Since 1999, Financial Recovery Group has prioritized partnerships and data security. It is our company’s mission to reduce risk. To meet this goal, FRG’s Security & Compliance team logs systems’ data for audits, trains our team, adjusts company policies in response to changing threats, and routinely assesses system protections, including those mandated by the HIPAA Security Rule.

FRG proudly maintains its own private onshore data centers, designed for automatic failovers (switching operations to standby systems) for business continuity. We provide secure hosting of client data in a HITRUST CSF r2-certified environment with reliable uptime. Our clients can be confident that their sensitive information is protected — stored domestically and available in a private cloud.

For additional information about FRG’s services and our dedication to security and compliance, email info@frgsystems.com or call 888-466-1025 today.

Posted in Healthcare Finance Research & Insights