Strategic Initiative - For The Record Magazine

Home | Subscribe | Resources | Reprints | Writers' Guidelines

Autumn 2025 Issue

Strategic Initiative
By Elizabeth S. Goar
For The Record
Vol. 37 No. 3 P. 14

Calculating the Risk-Reward Equation for Health Care Cybersecurity

Advanced cybersecurity tools and protocols—many of which will be codified when the Office for Civil Rights (OCR) finalizes its overhaul of the HIPAA Security Rule—have been relegated to the budgetary wish list by many hospitals and health systems. However, as threat levels rise, the chorus of voices warning providers to make enhanced cybersecurity a budget priority grows louder.

Unfortunately, for many, the problem isn’t an unwillingness to prioritize cybersecurity solutions and practices, it’s an inability to do so financially without draining resources from other mission-critical areas. The result is often the bare minimum required for HIPAA compliance, a choice that leaves the organization vulnerable.

“Health care security cannot be run as a compliance checkbox. Attackers are using automated reconnaissance, ransomware payloads, and supply chain pivots to target hospitals and clinics because they know the gaps are real and persistent. The only path forward is to run continuous adversarial testing, treat offensive tradecraft as a must-have capability, and build a security culture that matches the stakes: Lives, not just data, are on the line,” says Nic Adams, cofounder and CEO of 0RCUS. “Leadership must stop delegating cyber risk to paperwork and start treating it as an existential business threat. Anything less is just waiting for the next breach headline.”

Beyond the Bare Minimum
Even provider organizations that are compliant with current HIPAA security mandates fall short in achieving the necessary protection in today’s evolving threat environment. To change that, OCR proposed an extensive overhaul of the existing regulation with the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” proposed rule, published to the Federal Register in January 2025, but not expected to be finalized until 2026.1,2

“Far too many regulated entities do not view cybersecurity as a necessary component of their operations that allows them to fulfill their health care missions. Anecdotal evidence suggests that senior management often lacks awareness of cybersecurity, including both threats and methods for protecting against such threats,” OCR wrote.

Layna Cook Rush, CIPP/US, CIPP/C, a shareholder with Baker Donelson who heads up the law firm’s Data Incident Response Team, concurs with OCR’s sentiments. Meeting the minimum requirements is unlikely to provide adequate protection in today’s threat landscape. “Not investing in an up-to-date cybersecurity program opens an organization up to an attack, which can lead to significant financial costs, including ransomware payments, regulatory fines, lost profits during downtime, and class action lawsuits,” she says.

Adams calls regulatory minimums a “false floor,” adding that “doing the bare minimum means attackers have a free map to your environment, and regulators have a trigger for postbreach penalties.”

According to Asdrúbal Pichardo, CEO of Squalify, security and compliance are not interchangeable. “Meeting the bare minimum may check a box, but it won’t stop a breach or the financial and operational chaos that follows. Organizations hit with multimillion-dollar ransom demands often discover too late that their backups are insufficient and insurance coverage limited,” he says, adding that when postbreach lawsuits roll in and controls are found to be substandard, “liability becomes much harder to defend. Doing the minimum might satisfy auditors, but it won’t satisfy plaintiffs or your board.”

Chris Cronin, a principal consultant and partner with Halock Security Labs, who invented the Duty of Care Risk Analysis standard and is the primary author of the Center for Internet Security Risk Assessment Method, says what many in the security business miss is that the HIPAA Security Rule, as it’s written, is not about prescriptive guidance: It’s about taking reasonable action to prevent the opportunity for harm.

Health and Human Services (HHS) wants providers to demonstrate that they considered protecting patients’ privacy and data as they developed their cybersecurity strategies, Cronin says. That is why the decision by OCR to avoid being overly prescriptive in the original security rule was a double-edged sword. OCR doesn’t dictate exactly which controls to use, which can be frustrating for some regulated entities. However, it also means those entities can justify which controls they use based on the risk and the costs to reduce it.

Provider organizations “can’t read the tea leaves to understand what HHS wants,” he says. As a result, they tend to rely on maturity assessments or audits to identify specific compliance gaps, then raid clinical and operational budgets for technology solutions to close them.

They strive for compliance “without actually addressing the reasonableness question of HIPAA,” Cronin says. “Every organization, including hospitals and other clinical providers, is supposed to be a balanced environment. Achieve your mission, protect others you might harm, and don’t spend more than the risk to accomplish both.

“But if money in [the clinical] budget gets shifted to the cybersecurity budget, that better not reduce patient care,” he continues. “That would not be reasonable if patients suffered unnecessarily to afford a ransomware safeguard that an audit said was needed. The clinical environments aren’t being well served with these maturity assessments and audits.”

In other cases, cybersecurity is ignored due to budget limitations, which is also the wrong approach because, when the inevitable breach or ransomware attack occurs and OCR comes calling, saying there was no money for a risk analysis will not fly.

“You need to show [regulators] that what you did was reasonable, that it was a balance between your budget and patient care,” Cronin says. “You can’t just say, ‘We won’t do this because we don’t have the budget.’ You have to do what you can to reduce the risk to the patient and still function as a hospital.”

Setting Standards
There are numerous examples of provider organizations falling short in their cybersecurity efforts and incurring financial and reputational losses. However, the most effective justification for changing perceptions around cybersecurity investments can be found in a cybersecurity unicorn: a health system that has never experienced a breach.

“Knock wood,” says Kevin Torres, chief information security officer (CISO) of MemorialCare, a nonprofit health system that includes four hospitals, two medical groups, imaging centers, and surgical centers providing care to patients in Orange County and Los Angeles County, California. The system’s success is a byproduct of the system’s focus on creating a culture of cybersecurity awareness that runs from the top down.

“You need to spend an equal amount of time on cultivating the culture as you do with the implementation of tools to protect you, and it all starts with your employees. They are the main threat vector that is being compromised,” Torres says.

Along with educational articles, management presentations, and monthly governance, Torres and his team collaborated with MemorialCare’s marketing department to create a tip corner and craft messages published in the monthly CEO report to all employees. Initiatives supporting that culture are as crucial to his role as implementing safeguards and conducting penetration testing.

“The more equipped your employees are, and the more educated they are on what to look for, the better off we are,” Torres says. “We have built training programs that are mandatory, like what to look for in a phishing attempt. We test them at the end, and they have to pass that test. Then we hold them accountable … It’s not that we want to penalize them. We want to educate them. We want to work together with them.”

Which is not to say that MemorialCare doesn’t place a priority on investing in state-of-the-art security tools. They do. For example, the health system is implementing an identity management system from Clear, which rose to prominence during the pandemic and continues to partner with TSA at airports nationwide.

“Even with all the tools, you still have a constant barrage of social engineering [attacks] … We’re going to spend a lot of time on access and the social engineering piece because we think that’s our biggest potential vulnerability,” Torres says, adding that MemorialCare also utilizes behavioral analytics and AI to detect social engineering attempts earlier.

Torres recognizes that MemorialCare’s views on cybersecurity are not the norm and is careful not to take advantage by overspending on tools that aren’t the right fit. For those IT leaders who are as lucky, he recommends benchmarking against peers as much as possible to demonstrate when spending is below average and putting data at risk.

“The board at MemorialCare has adopted a very strong and supportive stance on cybersecurity. They don’t see it as a technical problem. They see it as an enterprise risk management issue,” he says. “This is not a technical issue or a cybersecurity issue to solve. It’s an organizational issue, and everybody has to get behind that, from the CEO to the board and all the way down.”

Making the Business Case
MemorialCare’s perspective is something CIOs and CISOs can emphasize when seeking support for improving security profiles. Rush suggests capturing the attention of the C-suite by framing a cybersecurity incident as a business risk, rather than a technical concern.

“In addition to regulatory exposure, there is the expense of operational downtime, potential reputation damage, and class action lawsuits. The costs of a cybersecurity breach can easily outweigh the cost of instituting a strong cybersecurity program. Having a strong cybersecurity program is good for the bottom line,” she says, noting that IBM in its 2024 Cost of a Data Breach Report put the price tag of the average health care breach at nearly $9.8 million—the highest of any industry.3

“By contrast, by investing even a fraction of that cost in its cybersecurity program, an organization can establish layered defenses, threat monitoring, and response capabilities that will protect against cyber incidents and reduce the impact if one does occur,” Rush says.

Pichardo shares that leading with financial exposure is more effective than relying on technical jargon when making the business case around cybersecurity enhancement. “C-suites and boards don’t need a list of software vulnerabilities, they need to understand potential revenue loss, regulatory fines and lawsuits, or patient churn tied to a breach. Frame the conversation in terms of risk-adjusted ROI [return on investment]: how a targeted investment in cybersecurity today can prevent multimillion-dollar losses tomorrow,” he says. “The question isn’t whether a breach could happen. It’s what it would cost the business if it did, and whether you’re comfortable with that risk sitting on the balance sheet.”

Making the business case for cybersecurity investments can be challenging because “it can be difficult to provide an economic analysis to a damaging event with uncertain probability,” says George C. Pappas, CDH-E, CEO of Intraprise Health, by Health Catalyst. He recommends starting with a validated security risk assessment conducted by a third party. This will construct a clear picture of the organization’s security posture and provide a list of its important security needs.

This analysis “can provide a roadmap of fixes and their priority that you can work on over time,” he says. “Next, compare your own posture to similarly situated organizations. If the organization has large gaps, there is a stronger argument for urgent/important needs to be addressed. Lastly, examine the cost and patient harm of cyberattacks on organizations of similar size and scale.”

John Trest, chief learning officer with VIPRE Security Group, recommends comparing the cost of a security event with that of proactive security investments, from training to endpoint protection. These “are usually a fraction of that cost and are spread out over time,” while the tangible and intangible costs of a cyberattack “can take years, or even decades, to rebuild.” Thus, he says, “while CEOs tend to focus more on risk and ROI, it’s up to IT leadership to clearly explain what’s at stake and why stronger security matters.”

To that end, Trest recommends establishing a business case that communicates the following:

• Financial risks: Highlight the potential fines for HIPAA noncompliance, costs of breach remediation, patient notification expenses, lawsuits, and reputational damage.

• Operational disruption: A ransomware attack can halt patient care, divert employee time, and damage trust.

• Competitive advantage: Strong security measures protect the organization’s reputation and can be a market differentiator for patients and partners. Framing security as a patient safety issue often resonates the most with health care executives.

Adams suggests mapping every investment directly to risk avoidance and bottom-line preservation, as well as quantifying the potential cost of downtime, lost revenue, and regulatory penalties. When possible, utilize real-world breach case studies from similar organizations and translate technical controls into business impact, tying patient safety, continuity of care, and brand reputation to specific security gaps. Additional steps include the following:

• show how adversarial simulation closes existential exposure;
• frame cybersecurity expenditures as business resilience, not IT overhead; and
• demonstrate that regulatory fines and breach losses exceed the incremental cost of proactive security.

“Advanced security investments in offensive simulation, robust segmentation, hardened backups, and continuous red-teaming typically cost a fraction of a single breach event,” Adams says. “Leadership must recognize the asymmetry: One breach can wipe out years of profit, while security spend is predictable, measurable, and reduces existential risk.”

Cyber Insurance
One aspect of cybersecurity that is often underappreciated, despite its growing influence in decisions regarding appropriate protection, is insurance. In the current risk environment, appropriate coverage has become a significant and essential line item, and premiums are rising with the stakes.

Ryan Griffin, who heads the US cyberinsurance division of McGill and Partners, notes that cyber coverage is a young market, having only gained prominence over the past 20 years. However, the rapid advancement of both technology and the capabilities of bad actors has accelerated the maturation of coverage. The challenge for insurers is that, unlike coverage for a physical asset, cyber insurance is primarily based on good faith.

“They’re taking the client’s word that the [environment] is secure. It’s hard to attest that you’ve implemented a [particular] security control throughout the environment,” he says. “You may have implemented it 95% of the way, but the threat actors are really good at exploiting the areas where you haven’t. Just from a risk management standpoint, for CIOs and their security officers, that is an absolute nightmare challenge.”

Cyber insurers have also assumed a dual role as protector and trusted advisor. As such, they not only hold their beneficiaries accountable for meeting best practices and providing appropriate protection but also act as expert resources for accelerating recovery in terms of identifying where and how the breach happened, the extent of the damage, and all the required steps that must be taken postbreach in terms of reporting and notifications. They also continuously scan the threat environment and alert clients early to emerging threats, as well as tracking data on everything from trends in ransomware payments to threat actors and breach mechanisms.

“The number one role the insurance companies play is helping on the resiliency side when you do experience an event,” Griffin says. “It’s basically ‘in case of emergency, break glass’ [and] we’ll airdrop a team of lawyers and cybersecurity professionals to help you recover in those first 72 hours.”

Insurance also protects against fines and other penalties that regulators assess following incidents, “which is a rarity in the insurance world,” Griffin says. “Compliance is in the eye of the beholder at times, and usually, health systems are the victim of an attacker. Sometimes we forget that … It isn’t malicious noncompliance. They were doing their best and thought they were meeting the standards but were still exploited.”

— Elizabeth S. Goar is a freelance health care writer in Wisconsin.

Baby Steps for Hardening Security
There is no question that provider organizations are falling short on cybersecurity, including failing at proactive threat emulation, live adversary simulation, and real-time breach-path analysis,” says Nic Adams, cofounder and CEO of 0RCUS.

“Most rely on checklist compliance, HIPAA audits, policy templates, annual trainings, basic [endpoint detection and response] deployments, or vulnerability scans, none of which simulate how real attackers breach medical infrastructure,” he says. “Security needs to stop being managed as another paperwork exercise, as it’s quintessential war gaming. Asset inventory is incomplete, segmentation is weak, and critical trust assumptions go untested. Vendors push point solutions, while attackers move through open lateral paths and misconfigured APIs [application programming interfaces]. The gap: zero offensive tradecraft and little real adversary perspective. The industry still thinks in defense, not offense.”

While it sounds impossible, stronger protection can be achieved without breaking the bank. Adams advises providers to stop buying shelfware and instead focus on the following:

• enforcing least-privilege across all accounts, service roles, and medical device logins;

• mapping critical data flows and locking down exposed APIs, remote access, and file shares;

• rolling out phishing-resistant multifactor authentication (MFA), not just text codes or security questions;

• conducting basic breach-path tabletop exercises monthly, not annually;

• patching public facing assets and removing orphaned accounts; and

• hardening backups with offline storage and regular restoration drills.

Squalify CEO Asdrúbal Pichardo says immediate steps start with visibility in areas of vulnerability. Noting that you can’t protect what you don’t understand, he suggests ensuring that the organization’s risk assessment is current is “a lightweight but high-value step” to highlight strengths and weaknesses so the most serious risks can be addressed.

“The proposed updates to the HIPAA Security Rule included conducting annual risk assessments, rather than as needed, which is a good practice to ensure a periodic situation report of cybersecurity, regardless of whether it ends up in the final updates. It costs next to nothing but quickly reveals policy gaps, access control weaknesses, and vendor or business associate blind spots,” he says. “From there, focus on controls that reduce likelihood and impact of your biggest risks: tighten user provisioning, implement MFA on privileged accounts, and ensure backups are segmented and regularly tested.

“These steps don’t require massive capital outlays—though costs will vary with the size and complexity of the organization—but they dramatically improve your cyber readiness,” Pichardo adds.

John Trest, chief learning officer of VIPRE Security Group, says there are several budget-friendly actions provider organizations can take right away to boost their security profile, including enforcing strong password policies and adding MFA for all accounts, especially those with access to patient data and administrative systems. Training employees regularly on phishing, social engineering, secure handling of sensitive data, and pertinent threat vectors is also prudent “as human error remains the top cause of breaches. To beat the forgetting curve, it’s important to reinforce key lessons with microlearning videos, posters, and ongoing discussions so that security as a whole stays top of mind,” he says.

Other recommendations include the following:

• keeping software, operating systems, and medical devices updated with the latest security patches;

• auditing and limiting access controls by only giving employees the minimum access necessary based on their roles; and

• monitoring network activity to quickly detect suspicious behavior. There are many low-cost monitoring tools that can add an extra layer of protection.

“These relatively inexpensive steps can help prevent the chaos, expense, and reputational fallout that follow a breach,” Trest says, emphasizing that any steps are better than none in the current high-risk threat landscape. “Health care data is among the most valuable on the dark web,” Trest says. “Doing the bare minimum leaves organizations wide open to a range of attacks and consequences. In short, minimal effort invites maximum risk.”

— ESG

References
1. US Department of Health and Human Services. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025;90(4):898-920. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

2. Alder S. New HIPAA regulations in 2025. HIPAA Journal website. https://www.hipaajournal.com/new-hipaa-regulations/. Published June 27, 2025.

3. IBM Security and Ponemon Institute. Cost of a data breach report 2024. IBM website. https://www.ibm.com/reports/data-breach. Published July 2024.