HackFirstAidMedical
For small clinical practices

The first hour after an incident matters most — for patients, partners, and your license to practice.

HackFirstAid Medical walks 1–25 provider practices through it in plain language, with no jargon, no procurement headaches, and a clear path through HIPAA, OCR, and your cyber insurer. Free triage, four shipped playbooks, and a North-American + EU regulatory grid.

Start the free triage Browse the playbooks

Built for family medicine, dental, optometry, PT, mental health, and small specialty practices · US + Canada + UK + EU regulatory coverage · Hospitals, FQHCs, and pharmacies out of scope by design

Triage in under three minutes

Tell us what just happened. We'll point to the right playbook and the right regulators.

The free triage is always free — no signup, no email gate. Use it during an incident or run it as a tabletop with your team.

Open the triage
Answer 2–5 plain-language questions about what you're seeing in the practice.
Get a printable plan
Matching playbook, first-hour actions, regulator hand-offs for your state or province.
Hand it to your team
Email your administrator, print for your insurer, or work straight from the screen.
Built for

Small clinical practices, 1–25 providers.

Family medicine, internal medicine, pediatrics, OB-GYN, dental, optometry, physical therapy, mental health, small surgical specialties. Single location or small multi-site. Owner-operator, practice administrator, or office manager as the buyer — usually with one part-time MSP behind them.

Not for, at launch
  • — Hospitals and multi-hospital systems (different posture, different team)
  • — FQHCs (different funding and governance)
  • — Pharmacies (board-of-pharmacy, NABP — refer out)
  • — Long-term care, dialysis chains, urgent-care chains
  • — SUD-only practices with heavy 42 CFR Part 2 caseload
Phase 1 playbooks

Four scenarios. Written for a Tuesday morning.

Ransomware in the middle of a clinic day

EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.

Open
Your EHR or practice-management vendor was breached

Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.

Open
A laptop, tablet, phone, or USB with patient data is missing

If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.

Open
The front desk's email account was taken over

Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.

Open
Regulatory grid

The frameworks that show up on an insurance application.

HIPAA Security, Privacy, and Breach Notification. HITECH. HHS 405(d) HICP. CMS MIPS Promoting Interoperability. DEA EPCS. 42 CFR Part 2. State medical-records laws. PIPEDA and the provincial health-information acts in Canada. NHS DSPT in the UK. GDPR Article 9 in the EU. Cyber insurer questionnaires that decide whether your claim gets paid.

See the full grid
The MIPS hook

Any Medicare-billing practice needs an annual Security Risk Analysis to avoid a Promoting Interoperability payment adjustment. Almost no small practice does one properly. Most OCR fines for small practices on the Wall of Shame trace back to no documented SRA.

Free lead magnet

5-Minute HIPAA Risk Self-Check.

Ten questions. One page. Tells you in five minutes whether you would survive an OCR information request or whether you have a documentation hole that needs closing this quarter. No email gate.

Take the self-checkBook a call