From HIPAA to Hackers: Bridging the Gap Between Compliance and Cybersecurity in Healthcare

For healthcare compliance and cybersecurity executives, the mandate is clear: protect patient data, ensure regulatory alignment, and defend against increasingly sophisticated threats. But in today’s threat landscape, regulatory compliance alone is no longer sufficient. The real challenge lies in operationalizing cybersecurity within the compliance framework—and doing so at scale. Traditional compliance frameworks like HIPAA are no longer enough in the face of modern cyber threats.

Compliance Is the Floor, Not the Ceiling

Regulations like HIPAA and HITECH provide critical guardrails, but they weren’t designed to address modern attack vectors like ransomware-as-a-service, supply chain vulnerabilities, or AI-driven phishing. Executives must recognize that compliance is a baseline—not a strategy.

Case in Point: In September alone, the HHS website has 5 reported breaches (all over 500 individuals impacted), of which 4 are hacking/IT incidents.  Three of these are network servers, and one an email incident. Only one incident was unauthorized access/disclosure of paper files.  For the year of 2025, HHS has a total of 436 breaches.  Most appear to be related to network servers, which is where we recommend focusing resources.

Here is why compliance ≠ security (and what healthcare orgs often miss):

• HIPAA rules don’t even require encryption (currently written as recommended but not required)

• Each organization is different and has their own loopholes/threats with various dependencies, including things like employee responsibilities, access, etc.  Rules do not address the complexities of each covered entity.

• Despite passing HIPAA audits, organizations can lack real-time threat detection and response capabilities—highlighting the gap between regulatory posture and cyber resilience.

Imperatives for Cyber-Resilient Compliance

So how can you integrate cybersecurity best practices into compliance programs?

Here are some actionable steps to future-proof your organization:

1. Hire appropriate IT staff who understand the importance of cybersecurity, or provide training annually (your employees are your first line of defense).  Tie training results in annual reviews.

2. Create IT policies and procedures that support encryption, protection of keys, strong passwords, and two-factor authentication.

3. Use NIST’s cybersecurity framework as a baseline and integrate it into your compliance program.

4. Create annual or even quarterly risk assessments that review compliance, privacy, and cybersecurity standards.  Make this the norm of your corporate culture.

5. Audit for Resilience, Not Just Regulation: Expand audits to include penetration testing, red teaming, and business continuity planning.

6. Modernize Training Protocols: Move beyond checkbox training to behavior-based risk awareness programs.  Conduct quarterly training exercises to strengthen employees understanding of hacking incidents, even within your IT departments. 

7. SOC2 reports and HITRUST certifications have become requirements for companies that share their data.  Review your contractual requirements.

8. Integrate Governance Models: Align GRC, cybersecurity, and IT operations under a unified risk framework.

9. Invest in Threat Intelligence: Use real-time data to inform compliance decisions and incident response.

Strategic Gaps in Traditional Compliance Programs

If compliance is the floor, then the baseline better be a strong foundation.  Here are some considerations on strengthening your compliance program:

• Be less reactive and more proactive: Annual risk assessments don’t match the velocity of emerging threats.  Proactively look into current threats and shift needs/priorities as needed.

• Review and if possible, eliminate siloed functions: Compliance and cybersecurity teams often operate independently, creating blind spots.  Teamwork is key.  Get to know the departments, priorities, goals, etc.  

• Review your vendor risk exposure: Third-party platforms and service providers introduce vulnerabilities that compliance frameworks rarely address in depth. What are you doing to review their access, relationship and requirements on a regular basis?

Final Thoughts

For healthcare executives, the question shouldn’t be “Are we compliant?” but “Are we resilient?” Because when adversaries strike, it’s not your audit trail that will protect you—it’s your ability to respond, recover, and adapt.