“HIPAA compliant” and “secure” are not the same thing, but you’d never know it from the way most healthcare organizations talk about their cybersecurity posture. The assumption that passing a compliance audit means your practice is protected from cyberattacks has become one of the most persistent and dangerous beliefs in healthcare IT, and the consequences of that confusion show up in breach statistics year after year.
According to Jeffery Daigrepont from Coker Group, approximately 50% of small practices don’t survive a breach, even when they were technically “HIPAA compliant.” This gap between regulatory compliance and actual protection widens as threats evolve daily.
This article clarifies what HIPAA actually requires versus what modern cybersecurity demands, why the gap between them keeps growing, and what it takes to build protection that goes beyond passing an audit.
Do you think your practice is protected? Think again.
These cybersecurity myths are putting healthcare practices at serious risk.
The misconception and why it’s so dangerous
Why “we’re HIPAA compliant” doesn’t mean you’re protected
“We’re HIPAA compliant” has become shorthand for “we’re secure” in a lot of healthcare organizations, and the two just aren’t the same thing. It’s an easy mistake to make. Compliance takes real effort, real resources, and when you’ve done the work to pass that audit, it feels like you should be in good shape.
But passing an audit and being protected from modern cyber threats are two different things entirely.
Tim Grelling, Director of Information Security at Focus Solutions, has seen this play out for over 25 years across HIPAA, PCI, and SOX compliance work. He puts it simply: “You can be HIPAA compliant and still be insecure because of how you interpreted the HIPAA requirements. HIPAA is designed to be the floor, right? You need to meet this compliance, but that doesn’t mean you’re secure.”
What HIPAA actually covers (and where it stops)
HIPAA was never meant to be a security playbook. It’s a regulatory baseline that gives healthcare organizations flexibility to put “appropriate” measures in place, which sounds reasonable until you realize how much room that leaves for interpretation. Ten different practices can implement ten completely different approaches, and all technically pass their audits.
If you’ve ever dealt with PCI-DSS for payment card compliance, the contrast is pretty stark. PCI gets specific: here’s how long your passwords need to be, here’s how often you review your audit logs, here’s the encryption standard you’re using. HIPAA just says you need a policy. It doesn’t say the policy has to be good.
Jeffery breaks it down this way: “When you think of HIPAA, you got to put it in two compartments. One is security, one is privacy. So when you think security, think the lock on a door. The policy says you must activate the lock. Otherwise, the lock doesn’t mean anything.”
Building codes work the same way. They’ll keep your building standing, but nobody expects them to stop a break-in.
HIPAA requirements vs. modern security needs
| HIPAA requires | What this means | What you actually need |
|---|---|---|
| Annual risk assessment | Document vulnerabilities yearly | Continuous monitoring and real-time detection |
| Access controls | Have a policy about access | Multi-factor authentication on everything |
| Security training | Provide staff training | Ongoing training to identify phishing and social engineering |
| Audit controls | Track PHI access | 24/7 security operations coverage |
| Backup procedures | Have a backup plan | Backups that meet cyber insurance requirements |
Why 1996 regulations can’t keep up with modern threats
The evolution nobody planned for
HIPAA’s security rules were written before ransomware existed as a concept, before cloud computing changed how healthcare data moves and is stored, and well before AI started powering increasingly sophisticated attacks. The people who drafted these regulations in 1996 couldn’t have anticipated what healthcare organizations are dealing with today.
Jeffery has watched this shift play out over his 25 years in the industry: “It used to be that you were fighting lazy people working in their mom’s basement just hacking. Now you’ve got to fight bots deployed in the millions that can target and come after organizations.”
Tim adds that the attackers themselves have professionalized in ways that would have seemed absurd a decade ago: “Ransomware groups almost act like businesses now. Some of them have help desks. So if you pay the ransom and can’t get your data back, you can call their help desk.” That’s the level of organization healthcare is up against now. These groups run like companies because there’s serious money in it.
Healthcare organizations get constantly probed by automated tools looking for a way in. One large healthcare organization Tim spoke with said their threat sensors showed roughly a thousand attempts per day. These are bots working around the clock, not individuals manually trying to break through.
How modern attacks actually work
What makes current threats so difficult to defend against is that they exploit human behavior far more than they exploit technical vulnerabilities. Jeffery points to a telling statistic: “40% of all compromises actually originate from insider threats.” But he’s quick to clarify that this doesn’t mean employees going rogue. It means employees getting themselves compromised through social engineering without realizing it.
The pattern usually looks something like this: attackers compromise someone’s account on a food delivery app or streaming service, then they find where that person works through LinkedIn, and they try those same credentials on practice systems. There’s no sophisticated hacking involved. If the credentials work, they’re in.
Healthcare data commands a premium on criminal markets because of its permanence. Jeffery mentions records selling for $200 to $300 each, compared to around $5 for a credit card number. Credit cards can be cancelled and reissued. Social Security numbers, diagnoses, and insurance details don’t change, which makes them valuable for fraud schemes that can continue for years.
What a breach actually costs
Jeffery puts the survival statistics plainly: “About 50% of the time, a small business, small practice does not survive it. They usually have to either file bankruptcy or shut down.”
The costs compound quickly and in ways that aren’t always obvious upfront. There’s the immediate response: forensics, legal counsel, and notifying every affected patient. Then come the ongoing obligations like credit monitoring that can stretch for years. Regulatory penalties add another layer, and if you end up under a Corporate Integrity Agreement, that means years of random audits to prove you’ve actually fixed everything
Cyber insurance helps with some of the immediate response costs, but the ongoing operational impact, the patient attrition, and the regulatory penalties typically fall outside what policies cover. The gap between what insurance pays and what a breach actually costs catches a lot of organizations off guard.
True breach costs
| Cost category | Typical range | Insurance coverage |
|---|---|---|
| Immediate response (forensics, legal, notification) | $75K-$500K | Partial (varies by policy) |
| Ongoing obligations (credit monitoring, compliance, audits) | $100K-$500K/year | Rarely |
| Regulatory penalties | $100K-$1.5M | No |
| Operational impact (downtime, lost revenue, recovery) | $200K-$2M+ | Partial (sublimits apply) |
Building security that actually protects
Why annual checkboxes don’t work
The problem with annual security activities is timing. An organization can pass a security risk assessment on Monday and get compromised on Tuesday. The threats facing healthcare don’t pause between audits, and neither do the attackers probing for weaknesses.
Risk assessments are required annually for a reason, but they were never meant to be the entire security program. They’re supposed to identify vulnerabilities so you can address them, not sit in a drawer until the next audit cycle. When something significant changes in your environment, whether that’s a new EHR, an acquisition, or a new vendor relationship, that should trigger a fresh look at risk, not wait for the calendar to roll around.
Jeffery puts it simply: “You could literally pass an SRA with flying colors and the next day someone clicks on something.”
Where to start
Most breaches don’t start with sophisticated hacking. They start with people. The statistics consistently show that end users are the entry point for the vast majority of successful attacks, which means that’s where protection efforts need to focus first.
That translates to three priorities: email security to stop phishing before it reaches inboxes, endpoint security to limit damage when something does get through, and ongoing user training that actually changes behavior. The annual compliance training that most organizations rely on doesn’t stick. Staff complete it, forget it, and go back to clicking on things they shouldn’t. Regular simulations and reinforcement throughout the year are what actually build the awareness that prevents breaches.
Tim’s take on users is realistic: “Users are vulnerabilities that you can’t fully patch.” You can’t eliminate human error, but you can reduce it and build systems that catch mistakes before they become disasters.
And if your organization hasn’t implemented multi-factor authentication everywhere yet, that’s the single most impactful thing you can do today. MFA won’t stop every attack, but it stops a lot of them, and it’s often the difference between a blocked attempt and a full breach.
Testing your response before you need it
Most healthcare organizations have an incident response plan filed away somewhere. That doesn’t mean anyone actually knows what to do when something happens.
Tabletop exercises, where teams simulate responding to a breach scenario, reveal gaps that look invisible on paper. Who actually makes decisions? Who contacts the insurance carrier? Does everyone know their role, or will there be confusion about who does what? These questions are much better answered during a drill than during an actual incident when every minute matters.
Preparation also means knowing who to call before something happens. If you have cyber insurance, your policy likely includes preferred forensic and incident response vendors. Identifying those contacts now, rather than scrambling to find them during an active breach, saves critical time when you need it most.
Making the case internally
When executives push back on security investments, the math is straightforward. A significant breach can cost a healthcare organization $4-5 million or more when you factor in response, remediation, regulatory penalties, and operational disruption. Ongoing protection costs a fraction of that annually.
The real question isn’t whether an organization can afford security, but whether it can afford to go without it.
What happens next
HIPAA compliance is table stakes. It keeps you out of regulatory trouble, but it won’t keep attackers out of your systems. The regulations were written for a different era, and the gap between what compliance requires and what protection actually demands continues to widen.
The good news is that closing that gap doesn’t require starting from scratch. It starts with understanding where you actually stand today, not where your last audit said you were, but where your real vulnerabilities are when measured against current threats.
That’s what a security risk assessment is for. Not the checkbox version that satisfies an auditor, but an honest look at your environment that identifies what’s working, what’s exposed, and what needs to change.
We work exclusively with healthcare organizations, so we understand both sides of this conversation: what keeps auditors satisfied and what actually keeps patient data safe. When you’re ready to see where you stand, we can help you figure out what to fix first and build a path forward that fits your practice.
