Bridging the Compliance-Data Breach Gap in Healthcare

The healthcare industry is one of the most highly regulated in the United States. To help ensure patient safety and well-being, improve access to care, and protect patient privacy, healthcare organizations must comply with numerous rules and requirements.

When it comes to protecting patient health information, HIPAA is the gold standard. Its Privacy, Security, and Breach Notification Rules provide a strong compliance framework for the safety and confidentiality of protected health information (PHI), enforced by the HHS Office for Civil Rights. 

Despite extensive guidance and rigorous oversight, healthcare remains one of the most breached industries. Recent research by Xtelligent Healthcare and commissioned by Pondurance revealed that 60% of healthcare providers experienced four or more system failures, cyberattacks, or breaches over the past year. This, even though 71% of providers surveyed prioritize maintaining HIPAA compliance over other considerations. 

Which leads to a critical question: Why do compliance-focused healthcare organizations suffer from so many data breaches? 

We’ll explore possible answers and provide actionable strategies in this latest series of articles, that focuses on breach risks especially facing smaller and midsized healthcare organizations. This first article covers organizational and governance challenges contributing to data breaches and how to mitigate these risk factors. 

Organizational Risk Factors

In healthcare organizations, privacy, security, risk, and compliance teams often live in their own silos, each with its own priorities and leadership. Even security and IT teams may have competing priorities, creating misconceptions about the value of core security practices. These misconceptions occur because security activities may be viewed as impacting access required for patient care. 

One such practice is vulnerability and patch management, which includes regular scanning, timely remediation, and verification through exploit testing. Through this process, security may identify vulnerabilities that need addressing. However, IT operations—tasked with keeping a robust and always-available set of critical systems running—may deprioritize or overlook patches that may risk disrupting services. Any unresolved vulnerabilities create an access point for attackers to exploit.

Because of their unique priorities and focus, IT and security may be considered separate functions within the organization. While this distinction has its benefits, it also creates a natural tension between competing objectives—especially when it comes to financial and other resources. An organization’s top leaders and board should consider both IT and security as equally important to the organization and to patients, and fund each team accordingly.

The Evolving Role of the CISO

Progressive healthcare organizations are removing departmental barriers that put patient data privacy and security at risk. In particular, many healthcare CISOs are absorbing privacy functions. They’re also taking on more of a business role, with greater exposure to the C-Suite and the organization’s board of directors.

IANS research reveals that CISO ownership of privacy increased from 35% to 47% over the past five years. “With the rise in data breaches, regulations, and regulatory scrutiny outside your legal, risk, or compliance functions, CISOs are becoming a natural fit to oversee privacy controls,” says Yunique Demann, senior director and data protection officer at NTT Data Americas.

And a Trellix survey found that 84% of CISOs believe their role should have both a business and technical focus. These findings emphasize the importance of a defensible security posture, where CISOs understand business outcomes, instead of focusing only technical details.

However, the global shortage of cybersecurity talent can make it difficult to attract and retain qualified employees, particularly experienced CISOs. And while many CISOs are learning to appreciate importance of data privacy, a trusted external partner can help bridge any gaps between an organization’s security and privacy teams. 

Governance Risk Factors

Cybersecurity often has limited visibility at the board level, despite the board’s awareness of the frequency and security of healthcare data breaches. In 2024 alone, there were 703 data breaches of PHI impacting over 500 patients reported to HHS through their Office for Civil Rights (OCR).

Yet only 28% of CISOs are considered “strategic,” in that they hold significant influence within the organization and with top leadership. Despite the well-known prevalence of healthcare breaches, there’s a clear gap between board governance of security and privacy and the teams responsible for such crucial activities.

Several obstacles to better governance of healthcare organizations include:

• Lack of cybersecurity background. Board members typically lack the knowledge and experience required to address today’s cyber threats. In addition, there is no roadmap for setting up a board committee to focus on these types of risks. 

• Over-focus on enforcement actions. An organization’s legal counsel will highlight “hotspot” issues that trigger enforcement actions, such as encryption. Other cybersecurity priorities are likely to be overlooked. 

• Communication gaps. While security leaders may understand risk and cyber threats from a technical perspective, they may be unable to translate this risk into business language that board members can relate to. 

• Underfunded programs. Similarly, security teams may fail to present clear, actionable risk assessments. Without an understanding of the risks and their business impact, executives may deny the budgets necessary to mitigate them.

• Misaligned risk priorities. An effective risk management program will align with the organization’s risk tolerance. While no systems are perfectly secure, there should be a balance between over-protection and vulnerability.

• Barriers to progress. Often, ego and a fear of admitting security gaps can prevent honest conversations about resource needs. A culture that encourages honest dialogue and collaboration across departments will lead to better outcomes. 

The Need for Improved Governance 

“Boards should elevate the issue of cyber risk as an enterprise risk management issue,” says John Riggi, senior advisor for cybersecurity at the American Hospital Association (AHA). “And they should ensure they receive regular briefings and updates on the cyber risk profile, and that adequate steps are being taken to mitigate the risk.”

This is especially true when considering technology investments. Security and compliance should be integrated into the planning process from the beginning, rather than adding them after systems are chosen. Upleveling security at the board level ensures new technologies align with patient care goals and regulatory requirements. It also helps avoid costly issues down the line—even if it requires more effort upfront.

How to Bridge the Gap

Protecting sensitive patient data against breach risks and building a strong cybersecurity program are not overnight exercises. Fortunately, there are several strategies healthcare entities can implement to unite disparate teams and priorities—and create a universal goal to minimize breach risks to the organization and to patients.

Conduct a Business Impact Analysis

Many healthcare entities lack a comprehensive inventory of software and systems, which creates significant risk. A business impact analysis across all departments—not just IT—can help a healthcare organization better understand patient care workflows. This, in turn, uncovers critical systems that may be visible to only the IT team. CISOs, CIOs, and other security executives are now aware of and can prioritize these systems which directly impact patient care and other business outcomes. 

Prioritize Your Risks

Identify your highest-priority risks first. While remedying those, work to gain consensus for your next risk priorities. Healthcare organizations are very collaborative, and organizational alignment takes time and effort. 

Create a “Culture of Shared Ownership” 

All stakeholders—clinicians, privacy, compliance, and risk—should have some responsibility for security within their organization. An article in the National Library of Medicine, “Managing cybersecurity risk in healthcare settings,” calls this concept “a culture of shared ownership.”  

The article notes that “Engaging clinicians in risk assessments, policy development, and technology selection ensures that security measures align with clinical workflows and address their concerns effectively.”

Make Cybersecurity Part of Your Business Strategy

Strong governance ensures that the board prioritizes and allots sufficient budget to cybersecurity. The business impact analysis can help CISOs clearly communicate risk and focus resources on critical functions. With dangerous threats like ransomware affecting healthcare providers, business continuity and preparing for operational disruption should take on higher priorities.

Benefit from Your Security Incidents

Never miss an opportunity to take advantage of security incidents and data breaches. These experiences create a unique opportunity for increasing resource and technology investments, and aligning organizations to protect against cyber threats.

Make Pondurance Your Trusted Partner

These recommendations can help healthcare entities build a strong foundation for a cybersecurity program that protects regulated and sensitive data against breach risks. However, smaller and midmarket providers often lack the internal skills and resources to accomplish their cybersecurity goals.

Pondurance can help. Our award-winning virtual CISO service offers trusted advisors and valuable resources that enable healthcare CISOs to achieve both short-term and long-term organizational goals. These services are ideal for midsized healthcare organizations that may lack the budget to for a full-time, top-level CISO. 

Whatever your needs, we’ll empower your security team with a sustainable cybersecurity program that aligns with your organizational goals and that your board can buy into. Contact us for more information.

Get your copy of “A Midsize Organization's Guide to Reducing Breach Risks in 2025” playbook.