In the healthcare industry, a security failure isn’t just an information technology (IT) problem. It’s a patient safety problem that can result in non-compliance fines under the Health Insurance Portability and Accountability Act (HIPAA).
Fortunately, healthcare organizations can satisfy both their cybersecurity and compliance obligations in a way that upholds patient safety. This blog post will walk you through how. But first, we need to understand what healthcare organizations are up against.
Healthcare as the Number One Target of Threat Actors
Healthcare is one of the top industries targeted by threat actors. In its Data Breach Outlook 2025, Kroll shared how healthcare was the most breached industry in 2024 at 23% of breaches tracked. (It accounted for just 18% of breaches the previous year.)
The threat landscape confronting healthcare organizations continues to evolve, as well. For instance, in its 2026 Data Breach Investigations Report (DBIR), Verizon analyzed 1,492 incidents in the healthcare sector, with data disclosure confirmed in 1,438 of them. Staff mistakes, misconfigurations, and miscellaneous errors were among the top sources of those healthcare breaches, with financially motivated external attackers using vulnerabilities to conduct system intrusions.
Threat actors don’t reserve these attack techniques to large enterprises. Small and mid-sized providers are increasingly in the crosshairs, as attackers know resource-constrained teams struggle to keep up. As a result, threat actors continue to target these organizations, resulting in delayed procedures, diverted ambulances, and compromised patient records.
A case in which the Cyber Incident Response Team (CIRT) of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) provided support shows what this can look like. In the second quarter of 2025, a remote U.S. hospital experienced a network intrusion associated with a ransomware incident. The intrusion disabled access to the hospital’s domain controller and other critical systems, disrupting lab reporting, medication distribution, and administration of computerized tomography (CT) scans. At the time of the incident, the hospital lacked the staffing it needed to read radiology films and transfer necessary digital medial records, limitations which would have resulted in additional difficulties had the facility needed to divert patients to other organizations.
HIPAA Compliance Is Getting Harder to Ignore
Clearly, the threat environment isn’t slowing down, and regulators have taken notice.
The U.S. Department of Health and Human Services (HHS) has signaled increased enforcement, scrutiny, and penalties for non-compliance are rising. In May 2026, HHS sent a letter to all 50 state governors and treasurers announcing the launch of the Audit Enforcement and Risk Oversight (AERO) initiative. According to a press release, this letter clarifies HHS will no longer tolerate persistent audit noncompliance and that it will reach out to states with delinquent audit submissions.
This announcement misses an ongoing challenge for the healthcare sector: regulations such as HIPAA’s Security Rule requires organizations to implement “reasonable and appropriate” safeguards, but that ambiguity is a pain point for many teams. Specifically, healthcare compliance teams struggle with the following:
- Knowing which technical controls actually satisfy HIPAA requirements
- Keeping configurations up to date as systems and vendors change
- Documenting and demonstrating compliance to auditors
- Eliminating gaps between documentation and real‑world security maturity.
The gap between “we think we’re compliant” and “we can prove we’re compliant” is where organizations get hurt.
And that gap is expanding. According to The HIPAA Journal, the Office of Civil Rights (OCR) identified late spring 2026 as the release date for the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule of 2013 underwent changes mandated by the HITECH Act. The changes considered at the time of writing include several cybersecurity requirements, including:
- Asset inventory and network map
- Specific requirements around risk analysis
- Written procedures for data restoration and incident response
- Patch management program
- Separate controls for data backups
- Annual verification of business’ associates and contractors’ security measures
Security and compliance teams are already stretched thin, making it difficult for them to translate evolving regulatory language into actionable controls.
The Missing Link: Connecting Security Controls to HIPAA Requirements
As healthcare organizations adapt to the HIPAA Security Rule updates, they need to ensure those efforts don’t end up in silos that are disconnected from the compliance frameworks auditors and regulators reference. They need a way to map their security work directly to evolving HIPAA requirements so nothing falls through the cracks.
This is where CIS SecureSuite® Membership can help. It provides organizations access to cybersecurity resources and tools that help to streamline implementation of the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks®, globally recognized best practices for defending and hardening systems against the most common cyber threats. Among those resources is the CIS SecureSuite Platform, a centralized solution which combines certain Membership capabilities into a single interface, saving teams time and money in improving their visibility and decision-making around identifying cybersecurity gaps, prioritizing remediation, and demonstrating compliance with frameworks such as HIPAA.
To learn more about CIS SecureSuite Membership, check out our video below.
The CIS SecureSuite Platform includes a comprehensive mapping of the HIPAA Security Rule to the CIS Controls and CIS Safeguards, which helps teams do the following:
- Move beyond checkbox compliance using clear alignment between HIPAA requirements and specific, prescriptive security actions
- Reduce audit and enforcement risk through risk‑based prioritization, which enables organizations to focus on what reduces real‑world threats, not just what satisfies auditors
- Protect patient data and clinical operations using defensible, vendor‑neutral guidance trusted across industries
- Maximize limited resources and reduce guesswork for teams by eliminating the need to build custom mappings or interpretations
CIS SecureSuite also includes tools for policy, assessment, and reporting — everything healthcare teams need to operationalize a sustainable compliance program, not just a one-time audit pass.
Don’t Choose between Strong Security and HIPAA Compliance
Most teams might be stretched thin, but healthcare organizations don’t have to choose between strong security and HIPAA compliance. The right tooling empowers them to achieve both.
Ready to see how CIS SecureSuite is built to help your teams do more with less?
