Arrowhead Orthopaedics Turns HIPAA Audits into a Competitive Advantage with VC3

Healthcare organizations face a uniquely complex compliance environment. HIPAA requires that covered entities protect patient health information (PHI) across digital systems, physical spaces, user behavior, and vendor relationships. For Arrowhead, that means managing risk across multiple clinic locations, a diverse staff including physicians and administrative personnel, and a constantly evolving technology and cybersecurity landscape. 

A successful cyberattack, unauthorized access to PHI, or failed HHS audit can result in significant financial penalties, civil liability, and the erosion of patient trust. At the same time, security measures such as multifactor authentication (MFA) and encryption can create friction for clinical staff whose first priority is patient care. 

Camou is candid about the reality when he says, “You can put as many security tools in place as you want and they can all be defeated by your end users.” Whether it’s a well-meaning supervisor letting an unfamiliar person into an IT closet, employees sharing login credentials to get a job done faster, or a provider struggling with MFA prompts, human behavior remains the most persistent vulnerability in any healthcare security program. 

For Arrowhead, the decision to conduct a formal, third-party security risk assessment was not driven by fear of an HHS audit but by a desire to know exactly where they stood—and to have the documentation to prove it. 

The Solution 

Arrowhead’s approach to HIPAA compliance is built upon a foundation of continuous preparation rather than periodic scrambling. Through weekly calls with VC3, Camou stays ahead of shortcomings, upcoming changes to HIPAA regulations, and evolving security best practices. By the time Arrowhead decided to engage a third-party auditor for a formal security risk assessment, there was no sudden push to prepare because preparation had never stopped. 

Along the way, VC3’s work with Arrowhead has spanned several interconnected areas that help with audit-readiness: 

• Ongoing HIPAA Advisory and Compliance Support: VC3 meets with Camou weekly to review Arrowhead’s compliance environment, flag gaps, discuss upcoming regulatory changes, and align security investments with evolving needs. This consistent engagement means no compliance issue surfaces as a surprise.

• Security Risk Assessment Coordination: When Arrowhead engaged a third-party auditor to conduct a formal security risk assessment, VC3 played a central role in the documentation phase. With the auditor’s documentation checklist in hand, Becar identified what VC3 could provide and clarified what needed to come directly from Arrowhead—significantly reducing the compliance burden on Camou’s team.

• Endpoint Detection and Response (EDR): At VC3’s recommendation, Arrowhead deployed a new EDR tool approximately three months before their most recent audit. During the penetration testing phase of the assessment, the auditor plugged a device into an Arrowhead IT closet to test network access and the EDR tool flagged and stopped the intrusion attempt within five minutes. In fact, Arrowhead had to whitelist the auditor’s device before testing could proceed!

• Multifactor Authentication (MFA): VC3 has guided Arrowhead through successive improvements to their MFA posture, including a recent move away from SMS-based authentication for their electronic medical records (EMR) system. In fact, Arrowhead is currently evaluating a new MFA tool and passkey-based authentication options for broader deployment. Over the years, VC3 has helped Arrowhead evaluate MFA options that balance security requirements with the practical reality of clinical workflows.

• Security Awareness Training: Arrowhead runs an ongoing security awareness training program, pushing annual training to all users through a dedicated portal. VC3 supports this effort by helping Camou stay current on emerging threats and compliance requirements. Camou supplements the platform-based training with one-sheets, Teams training sessions, and—for the users in most need of help—direct one-on-one coaching.

• Physical Security Testing: Following the formal audit, Arrowhead implemented its own ongoing physical security testing protocol. VC3’s onsite technician periodically visits Arrowhead’s clinic locations—unannounced and unknown to staff—to test how far into facilities and IT closets he can get without being challenged. This builds upon a lesson from the formal audit, during which one site passed the physical intrusion test and one did not. 

Inside the HIPAA Audit: What the Process Actually Looked Like 

For healthcare organizations considering a formal security risk assessment, Arrowhead’s experience offers a useful roadmap. Camou and Becar walked through the timeline and structure in detail: 

• Vendor Selection: Arrowhead began the vendor selection process at the start of the year, gathering quotes and evaluating options before bringing finalists to leadership for cost review and final vetting. Most vendors had a backlog of approximately six months before an audit could begin—a lead time that catches some healthcare organizations off guard. Arrowhead was fortunate to find a vendor with a shorter wait time. “Make sure you’re choosing that vendor well before the actual audit starts,” Camou said.

• Documentation Review: Once Arrowhead was under contract, the auditor provided a comprehensive documentation checklist. VC3 gathered the relevant materials, identified gaps, and handed off a clean package. The auditor’s documentation review took approximately one week.

• Onsite Assessment: After reviewing the documentation and sharing initial findings, the auditor conducted onsite evaluations over approximately four days. This included a leadership briefing, penetration testing (including the EDR incident described above), and unannounced physical site visits to test whether staff would grant access to an unknown individual claiming to be IT personnel.

• Final Report: The final assessment report was delivered approximately two months after the onsite work concluded. Total elapsed time from contract signing to final report was roughly four months.

• Leadership Engagement: After selecting the auditor, Arrowhead’s leadership team was included in every vendor meeting, received a high-level briefing at the start of the onsite phase, and reviewed results at the conclusion. Camou’s approach was to keep leadership informed without pulling them into the technical details.

The Results 

Arrowhead’s security risk assessment reinforced years of continuous compliance work and surfaced areas where improvement was still needed. Key outcomes included: 

• EDR Proving Its Value: The penetration test provided real-time validation that Arrowhead’s endpoint detection investment was working. The EDR tool stopped the auditor’s device within five minutes of being plugged into the network—a result directly attributable to VC3’s EDR recommendation and implementation three months prior.
• Physical Security Gaps Identified and Addressed: The unannounced clinic visits revealed that one site was vulnerable to social engineering where a supervisor allowed access to an IT closet without verifying the visitor’s identity. This finding led directly to the implementation of Arrowhead’s ongoing internal physical security testing program, now carried out monthly by a VC3 technician.
• Stronger Leadership Alignment: The structured engagement of Arrowhead’s leadership team throughout the audit process increased their understanding of and confidence in the organization’s security posture. Compliance is no longer an IT department concern—it’s a shared organizational priority.
• A Replicable Compliance Model: Perhaps most importantly, Arrowhead emerged from the audit process with a sustainable, continuous compliance model rather than treating it like a one-time project. With ongoing training, regular testing, weekly advisory calls, and a structured audit cadence, Camou’s team is already scheduling their next assessment. 

“Make sure you have MFA in place. Make sure you’re doing encryption and backups. Make sure all your policies are in order. Review constantly. Pay attention to the little things—how you’re setting up printers, devices, Wi-Fi access points. Everything matters.” — Tim Camou, HIPAA & Cybersecurity Compliance Officer, Arrowhead Orthopaedics 

Advice for Healthcare Organizations 

When asked what he would tell a healthcare organization hesitant to pursue a formal security risk assessment, Camou said, “You’re never ready, so that’s not a reason to wait. A third-party assessment isn’t tied to HHS. It’s not going to be levied with fines. It’s information for you to go back and make any needed adjustments. I don’t see a reason why anyone would not start these things immediately.” 

He offered additional guidance for organizations preparing to go through this process: 

• Start earlier than you think is appropriate: Auditor backlogs average six months. If you want an audit completed by a specific date, begin the vendor selection process well in advance.

• Proactively budget: If you want a solution in place for 2027, bring it to the budget conversation in 2026. Surprises in the budget process stall remediation.

• Educate (and don’t just mandate): When security changes create pushback—especially from clinical staff—explain the why by connecting the inconvenience to the financial and legal consequences of a breach.

• Treat the audit as an asset, not a threat: The findings from a security risk assessment give you documented proof of what needs to change and justification for the budget to fix it.

• Pay attention to the little things: As an example, an audit issue for Arrowhead a few years ago was a printer with a vulnerability connected to only one person’s computer—something easily overlooked. Little things like setting up a printer, device, Wi-Fi, or other seemingly innocuous technology configurations all matter. 

Looking Ahead 

Arrowhead Orthopaedics is already scheduling its next security risk assessment. With upgrades to MFA underway, ongoing physical security testing in place, and VC3’s advisory relationship continuing to evolve, Camou’s team is not waiting for the next audit to find problems. They’re continuously looking for issues and fixing them before they negatively impact the organization. 

For Camou, that mindset is the whole point. “I’m not perfect. I don’t know everything. But if I know what’s broken, I can fix it. That’s why we have this process.”