19-05-2025
Healthcare Security And Compliance: The Good, The Bad And The Ugly
Ben Tercha is COO at Omega Systems, an award-winning managed IT services provider (MSP) and managed security service provider (MSSP).
Perhaps tasked with meeting more stringent cybersecurity and compliance demands than any other industry, the healthcare sector faces a myriad of complex challenges. While there are bright spots to applaud, there's also continued progress yet to be made—and in some cases, potential danger zones to beware of.
Let's break down some of the good, the bad and the ugly hallmarks of governance, risk and compliance (GRC) in the healthcare industry today.
It's not all doom and gloom. Today's healthcare organizations are more equipped than ever before to face an increasingly dangerous threat landscape, thanks in part to rigorous regulatory demands, innovative technology capabilities and more general awareness of potential security threats.
HIPAA compliance standards continue to evolve, with new proposals for increased data protection introduced as recently as a few months ago. If enacted, these stricter security measures will help fortify the industry and ensure a continued focus on patients' rights as well as data transparency and privacy. Under the proposed rule, new requirements would include:
• Security controls such as multi-factor authentication (MFA), network segmentation and data encryption while at rest and in transit;
• Written procedures for restoring lost data and protected health information (PHI) within 72 hours; and
• Annual completion of a HIPAA compliance audit.
Technology innovations, like AI-powered threat detection, advanced endpoint security tools and behavioral analytics are improving cybersecurity defense strategies and giving healthcare companies more ammo to fight sophisticated threats.
More healthcare providers are taking action to assess third-party risks than ever before, performing at least basic vendor due diligence and asking providers to validate data privacy and security controls at a high level.
Despite some progress, many healthcare organizations still struggle with navigating an increasingly complex cybersecurity and compliance landscape.
While many healthcare entities meet HIPAA's basic compliance standards for data privacy, most still lack a robust, proactive risk management strategy that includes multi-layered security protections across the perimeter, network and endpoints.
Too few organizations are implementing what I consider "must-have" security controls for the healthcare industry today: MFA, endpoint detection and response, and data encryption, for example. These tools are both powerful and cost-effective, and yet we still see companies sidestep adoption too easily.
Furthermore, a vast number of companies in the healthcare industry appear reticent to utilize outsourced providers such as MSPs/MSSPs for deeper IT and security expertise. This hesitation can lead to over-burdened internal teams and can hinder organizational productivity, innovation and scalability in the long run.
Most healthcare companies don't have the tools or expertise to understand where PHI resides and how it moves within their IT environments, not to mention the value of that data! It's often stored in multiple, unsecured locations, and cloud applications and other data sources often lack deeper connectivity and integration—all of which can lead to increased breach potential.
Human error remains one of the biggest dangers for businesses across all industries. For healthcare companies, a lack of consistent security awareness training and real-time education will continue to increase potential risks.
Believe it or not, there are even bigger security concerns for the healthcare industry today, and without a concerted effort to address growing risks, companies—and their patients—will suffer.
Hackers view healthcare organizations (including hospitals, insurance carriers and even smaller medical practices) as "low-hanging fruit." They frequently take advantage of outdated infrastructure, unpatched systems/applications and untrained employees to execute sophisticated phishing scams and zero-day attacks against the healthcare sector that lead to operational disruptions and financial loss.
Beyond fines, data breaches result in sensitive data exposure, reputational damage, lawsuits and even potential harm to patient care. More than perhaps any other industry, healthcare providers need to take extra care to secure systems and data to ensure they do not end up in the wrong hands.
Healthcare providers face increasing scrutiny from regulators, class-action lawsuits from patients and hefty penalties for non-compliance. As HIPAA considers rolling out additional requirements, it will be incumbent on organizations to evaluate opportunities to fortify their security stack to avoid serious consequences. In fact, there have been calls to remove existing statutory caps on fines, a move that could lead to more significant and immediate non-compliance penalties.
Despite increasing regulatory oversight and a constant stream of attacks in the news, too many healthcare companies are letting cost dictate their security strategy. Of course, most businesses don't have unlimited IT budgets, so it's impossible to adopt every new and shiny security tool on the market. However, there's a fine line between cost control and penny-pinching.
Modern cyber threats demand a modern approach to cybersecurity. In practice, that means healthcare organizations need to align internally on their overall approach to GRC and develop a strategic roadmap that balances both efficiency and risk. Furthermore, relying on reputable IT partners and investing in robust technology solutions have proven to not only extend the effectiveness of internal resources but also aid the security and compliance process in a meaningful way.
Organizations that avoid or delay security investments will likely end up spending more working on breach recovery, non-compliance fines and reputational damage. Considering the options of a five-dollar-per-user MFA solution versus hundreds of hours of incident response and the exponential cost to your organization and its patients, I know what I would choose.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
