The Resilience Gap

Zero Trust and HIPAA

Wed, 25 Mar 2026 14:15:44 GMT

Because the Castle Walls are No Longer Enough

The next evolution of the HIPAA Security Rule is shaping up to be less about checking boxes and more about fundamentally changing how healthcare organizations think about risk and resilience. And if you’ve been hearing terms like “Zero Trust" thrown around, it’s not just industry noise. This concept is quickly becoming the baseline expectation rather than advanced security maturity.

At its core, Zero Trust is actually a simple idea, even if the technology behind it can get complex. For years, most organizations operated like a castle. If you were inside the castle walls (in the building logged into the system) you were trusted. The assumption was that threats came from the outside, and once someone got in they were largely free to move around. Zero Trust flips that thinking completely. It assumes that no one, inside or outside the network, should be automatically trusted. Every access request must prove itself, every time.

In plain terms, it’s the difference between leaving all the interior doors of your house unlocked because someone made it through the front door, versus requiring a key for every room. It might sound excessive at first, but in a world where over 60% of breaches result from stolen credentials and insider exploits, it’s a far more realistic model.

This is where multi-factor authentication, identity and access management, and network segmentation come into play. They aren’t separate initiatives anymore. They are the basic building blocks of a Zero Trust approach. Multi-factor authentication ensures that a password alone is no longer enough to access sensitive systems. Identity and access management governs who has access to what, and just as importantly, whether they still need that access today. Network segmentation limits how far someone, or something, can move within your environment, even if they do get in.

For small and mid-sized healthcare providers like care centers, clinics, and specialty practices, this shift can feel daunting. Many of these organizations have historically relied on outsourced IT support and legacy systems that were never designed with this level of security in mind. They're concerned how they implement something that sounds enterprise-grade without enterprise resources. This is understandable.

The reality is that Zero Trust is less about buying a single product and more about adopting a mindset. Most SME care centers are already partway there, whether they realize it or not. If you’re using cloud-based EHR systems, enforcing MFA for remote access, or limiting administrative privileges, you’ve already taken steps in the right direction. The upcoming expectations simply formalize and expand those practices.

What will change is the level of intentionality. Access will need to be more tightly defined, not just for clinicians and staff, but also for anyone else interacting with patient data. “Set it and forget it” user accounts will become a liability. Shared logins, which are still surprisingly common in some environments, will become increasingly difficult to justify. Networks that once operated as flat environments will need to be broken into smaller, controlled zones to prevent lateral movement.

For a care center, this doesn’t mean building a complex, military-grade infrastructure overnight. It means asking practical questions. Does every employee only have access to the systems and resources they truly need? Is MFA enforced everywhere it should be, not just at the perimeter? If a device is compromised, how much of the environment can it actually reach? If a staff member leaves, how quickly and completely is their access removed?

There’s also a cultural shift embedded in all of this. Security can no longer be seen as an obstacle to care delivery. It has to be part of how care is delivered safely. That requires clear communication with staff, not just new written policies. When clinicians understand that these measures protect patient safety just as much as they protect data, adoption tends to follow.

From a regulatory perspective, the direction is clear. The updated HIPAA Security Rule is moving toward requiring demonstrable, ongoing risk management rather than periodic compliance exercises. You know, the "compliance theater" I've frequently talked about. Zero Trust aligns perfectly with that goal because it is continuous by design. It doesn’t assume security based on past assessments. It continuously verifies it in real time.

For SME care centers, the takeaway isn’t that the bar is being raised beyond reach. It’s that the definition of “reasonable and appropriate safeguards” is evolving to match the constantly evolving threat landscape. And the easiest way to successfully navigate this is to start small, prioritize high-impact areas like MFA and access control, and build from there with a clear strategy.

In the end, Zero Trust isn’t about distrust for its own sake. It’s about acknowledging reality and designing systems that are resilient because of it. In healthcare, where the stakes are measured in both data and lives, that shift isn’t just inevitable. It’s necessary, and way overdue.

Say Good-Bye to Policy Roulette

Tue, 10 Mar 2026 13:29:08 GMT

Changes to HIPAA Will Require Written Policies

The coming update to the HIPAA Security Rule is shaping up to be one of the most consequential changes healthcare organizations have seen in years. At last word, the revisions are still expected around May, and while many people assume the changes will be incremental, the direction they point is anything but casual. The message from regulators is clear: the era of loosely interpreted security practices is ending.

One of the more telling changes involves something that sounds deceptively simple—documentation. The revised rule is expected to require covered entities to maintain written policies addressing every standard and implementation specification within the Security Rule, whether those provisions apply directly to the organization or not. In other words, it will no longer be enough to say, “That requirement doesn’t apply to us.” Organizations will now need to explain why it doesn’t apply and document the reasoning behind that determination.

At first glance, that might sound like a bureaucratic exercise. In reality, it reflects a deeper shift in regulatory thinking.

For years, the Health Insurance Portability and Accountability Act framework has relied heavily on the concept of “flexibility of approach.” The Security Rule recognizes that a rural clinic, a mid-sized physician group, and a multi-hospital health system cannot all implement security controls in the exact same way. Organizations have been allowed to scale their safeguards based on size, complexity, and risk.

The problem is that flexibility has too often been interpreted as "optional".

Investigations following major healthcare breaches routinely uncover the same underlying issue: controls were never formally evaluated in the first place. Decisions were made informally, assumptions went undocumented, and security measures that should have been implemented were simply never considered in a structured way. When regulators ask why something wasn’t implemented, “we didn’t think it applied” doesn’t carry much weight if there is no written analysis behind it.

Requiring written policies for every standard closes that gap. It forces organizations to move from assumption to deliberation. Each safeguard must be considered, assessed against the organization’s environment, and either implemented or formally justified if it is not.

Seen in isolation, this requirement might feel like an administrative burden. Viewed in context, it’s part of a much broader effort to address what has become a relentless wave of healthcare breaches. Year after year, the volume of incidents reported to the U.S. Department of Health and Human Services continues to climb. The industry has reached a point where the phrase “record number of breaches” has almost become routine.

Healthcare organizations face a uniquely difficult threat landscape. They manage some of the most valuable data on the black market, often operate with constrained IT resources, and rely on complex ecosystems of vendors and interconnected systems. Meanwhile, ransomware operators have learned that disruptions in healthcare carry immediate operational consequences, which increases the pressure to pay.

Against that backdrop, regulators are steadily tightening expectations around security governance.

Documentation may not sound like a frontline defense against cyberattacks, but it plays a critical role in building a resilient security program. When policies are comprehensive and clearly articulated, they create a shared understanding of how security is supposed to function within the organization. They define responsibilities, establish decision-making frameworks, and ensure that risk management is not left to improvisation.

More importantly, written policies reveal gaps. When organizations are forced to map their operations against every requirement in the Security Rule, weaknesses that were previously invisible often come into focus. Missing controls and unmanaged risks become far easier to identify when they are laid out in black and white.

In that sense, the upcoming changes should not be viewed solely as regulatory tightening. They are also an opportunity for organizations to bring clarity and discipline to their security posture.

Many healthcare entities will discover that the real challenge is not implementing new technology but establishing the governance structure that should have been in place all along. Policies that fully address the Security Rule require organizations to think systematically about risk analysis, access management, contingency planning, vendor oversight, and incident response. They require security to be treated not as a set of tools but as an operational function woven into the organization’s daily practices.

The healthcare sector has reached a moment where incremental improvements are no longer enough. The scale and sophistication of cyber threats have grown faster than many security programs have evolved to meet them. Regulators recognize that reality, and the forthcoming Security Rule changes reflect an effort to close that gap.

Whether the final rule arrives in May or slightly later, the direction is already clear. Healthcare organizations will be expected to demonstrate not only that they have safeguards in place, but that they have thoughtfully evaluated every requirement of the Security Rule and documented the reasoning behind their decisions.

In the end, that shift represents something more than compliance. It represents a move toward accountability. And in an industry where the protection of patient data is inseparable from the protection of patient trust, that accountability has never mattered more.

Don't Forget The Little Things

Wed, 25 Feb 2026 14:42:36 GMT

Cybersecurity Is Built on Small Habits, Not Grand Gestures

When we talk about cybersecurity and cyber resilience, the conversation usually gravitates toward big, visible initiatives. New tools. Major training rollouts. Enterprise-wide policy updates. These things matter, and they deserve attention. But in busy operational environments like care centers, some of the most meaningful improvements don’t come from sweeping changes. They come from small, quiet adjustments that cost nothing but awareness.

Walk through any care center and you’ll see the reality of modern healthcare work. Clinicians moving quickly between patients. Administrative staff juggling phones, scheduling, and documentation. Workstations in hallways, nursing stations, and shared areas. The pace is fast, and the mission is clear. But in that speed and openness, small security gaps often emerge without anyone realizing it.

A monitor angled just slightly outward can expose sensitive patient information to anyone walking by. A workstation left unlocked for a moment becomes an open door. A screen that stays active indefinitely quietly increases the risk that information will be seen by the wrong person. None of these situations feel dramatic in isolation. They don’t trigger alarms. They don’t look like attacks. But they create opportunities, and cybersecurity incidents often begin with opportunity.

Cyber resilience is not just about preventing sophisticated attacks. It’s about reducing unnecessary exposure. It’s about recognizing that information, especially protected health information, doesn’t need to be stolen through complex technical exploits if it can simply be seen. Visibility is access. And access, even passive access, is risk.

What makes these small exposures particularly important is how easy they are to fix. Adjusting a monitor’s position so it faces inward instead of outward takes seconds. Enabling automatic screen locks after a short period of inactivity is a simple configuration change. Being mindful of who is within view when accessing sensitive records requires nothing more than awareness. These are not expensive solutions. They don’t require procurement cycles or implementation projects. They require attention.

More importantly, these small actions reinforce something deeper than security controls. They reinforce culture. When staff members become conscious of their physical and digital surroundings, security becomes part of the rhythm of daily work rather than an external requirement imposed from above. It stops being something that only lives in policies and starts living in behavior.

In healthcare environments, where trust is foundational, this matters even more. Patients trust that their information will be handled with care and discretion. Protecting that trust isn’t only about defending against ransomware or phishing. It’s also about ensuring that their information isn’t casually exposed through preventable oversights.

There is a tendency to think of cybersecurity maturity as a function of what an organization buys. In reality, maturity is often a function of what an organization notices. Awareness is one of the most powerful and underutilized security controls available. It scales instantly. It costs nothing. And it closes gaps that technology alone cannot.

Grand gestures have their place. They move organizations forward. But resilience is built in the quiet moments between those gestures. It’s built when someone instinctively locks their screen before stepping away. It’s built when someone adjusts a monitor without being told. It’s built when security becomes not an interruption to the mission, but part of how the mission is carried out.

Cybersecurity doesn’t always announce itself. Sometimes, it’s simply the act of looking around and choosing to do the small things right.

Vendor Management in Cybersecurity

Wed, 11 Feb 2026 16:08:22 GMT

The Hidden Risk in Medical Imaging Environments

In healthcare, cybersecurity conversations often focus on endpoints, phishing, ransomware, and regulatory compliance. Those are important topics. But in medical imaging environments, there is another risk that is frequently underestimated: vendor access.

In many imaging centers and radiology practices, critical systems such as CT scanners, MRI machines, PACS platforms, and diagnostic workstations are installed, maintained, and supported by third-party vendors. To provide timely support, these vendors often maintain remote access into the organization’s network 24x7. While this model keeps equipment operational and minimizes downtime, it also introduces a layer of risk that must be actively managed.

The Nature of the Risk

Medical imaging systems are complex and highly specialized. Most organizations do not have in-house engineers capable of maintaining or troubleshooting the internal components of these modalities. As a result, vendors require remote connectivity to perform diagnostics, apply updates, and resolve issues quickly.

From an operational standpoint, this makes sense. From a cybersecurity standpoint, it creates several challenges.

First, every remote access pathway into your network represents a potential entry point. If a vendor’s credentials are compromised, or if their own internal network is breached, attackers may attempt to pivot through trusted connections into client environments.

Second, vendor-managed systems are not always patched or hardened on the same schedule as standard IT assets. Imaging systems often run specialized operating systems or legacy software that cannot be easily upgraded without regulatory approval or manufacturer support. This can leave vulnerabilities exposed for longer periods of time.

Third, visibility is often limited. Many organizations cannot clearly answer questions such as "Who currently has access to each imaging modality?" or "When was the last time a vendor logged in?" or "How is that access secured?"

If these questions cannot be answered quickly, the organization is operating with significant blind spots.

A Realistic Threat Scenario

Consider a common scenario. A vendor provides remote support through a VPN or remote access appliance connected directly to the imaging network. Credentials are shared among multiple technicians for convenience, and multifactor authentication is not enforced because the equipment is considered “isolated.”

An attacker compromises the vendor through phishing or credential theft. Using legitimate remote access tools, they connect into multiple customer environments without triggering immediate alarms. Once inside, they move laterally, looking for file shares, domain controllers, or backup systems.

By the time the SOC notices unusual activity, systems may already be encrypting or data may be exfiltrated.

This type of attack is not hypothetical. Supply chain and trusted-access attacks have become one of the fastest-growing intrusion methods because attackers know vendors provide a scalable pathway into many organizations at once.

Why Imaging Environments Are Especially Vulnerable

Medical imaging networks have characteristics that make vendor risk even more significant.

They have high uptime requirements. Imaging equipment is revenue-generating and patient-care critical. Systems cannot be taken offline easily for maintenance or security testing.

There's usually legacy dependencies. Modalities often remain in service for many years, far longer than typical IT hardware lifecycles.

Typical organizations have flat or semi-flat network segments. Imaging networks are sometimes less segmented than they should be, allowing lateral movement if an attacker gains entry.

They maintain large data volumes. PACS systems store massive amounts of sensitive patient data, making them attractive targets.

They have operational reliance on vendors. Organizations may feel they cannot impose strict controls without risking slower support or warranty complications.

These realities make vendor management not just a procurement or compliance function, but a core component of cybersecurity.

Practical Safeguards That Reduce Risk

The goal is not to eliminate vendor access. That is rarely practical. The goal is to control, monitor, and limit that access in ways that reduce exposure while preserving operational support. There are several measures that can significantly improve security.

First, require multifactor authentication (MFA). All remote access into the environment, especially vendor access, should be protected with MFA. This single control dramatically reduces the risk of credential-based attacks.

Second, use controlled remote access pathways. Vendors should connect through managed, monitored gateways rather than persistent, always-on connections. Access should be enabled only when needed and disabled when sessions end whenever possible.

Then implement network segmentation. Imaging systems should reside in segmented networks that restrict lateral movement. Even if a vendor connection is compromised, segmentation can prevent attackers from reaching core infrastructure.

You must also log and monitor vendor activity. Remote sessions should be logged, and alerts should be generated for unusual access times, locations, or behaviors. Visibility is essential for both detection and forensic response.

Limit access by applying the principle of least privilege. Vendors should have only the access necessary to perform their functions and no more. Shared accounts should be eliminated wherever possible in favor of individual authentication.

Due diligence should be performed in reviewing vendor agreements and security practices. Security expectations should be written into contracts . This can include requirements for MFA, breach notification timelines, access control practices, and audit rights.

And lastly, maintain an accurate vendor access inventory. Organizations should maintain a current list of:

Which vendors have access
How they connect
What systems they can reach
Who authorized the access

This information becomes critical during incident response.

Vendor Management Is Leadership’s Responsibility

One of the most common misconceptions in healthcare cybersecurity is that vendor risk is purely a technical issue. In reality, it is an operational and governance issue that requires leadership involvement. Decisions about vendor access affect patient care, revenue continuity, compliance, and organizational reputation. These are executive-level concerns, not just IT concerns.

Leaders should be asking important questions. "Do we know who has remote access to our environment?" "Could we quickly disable vendor access in an emergency?" "How would we detect misuse of those connections?"

You should already know the answers. But if you find those questions are difficult to answer, don't panic. Your organization has an opportunity to strengthen its security posture.

Final Thoughts

Medical imaging businesses operate in a high-risk environment by nature. They manage sensitive patient data, rely on specialized equipment, and depend heavily on third-party vendors to keep operations running. Vendor access is not inherently unsafe, but unmanaged vendor access is.

Strong vendor management does not slow down operations. When implemented correctly, it ensures that the organization can continue delivering patient care even in the face of cyber threats.

In cybersecurity, the most dangerous risks are often the ones that feel routine. Vendor access falls squarely into that category. The organizations that recognize this early while putting the right controls in place are far more likely to avoid becoming the next headline.

When ROI Is the Only Lens

Thu, 29 Jan 2026 15:06:36 GMT

How Cost-Centered Cybersecurity Hurts SME Healthcare Practices

In small and mid-sized healthcare organizations, every dollar matters. Margins are tight, reimbursement is complex, staffing is strained, and leaders are constantly forced to prioritize competing needs. In that environment, it’s understandable that cybersecurity investments are often evaluated through a single question:

“What’s the ROI?”

The problem is that when cybersecurity is treated only as a cost center, and purchasing decisions are made solely on short-term financial return, it doesn’t just limit security maturity. It actively puts the practice, its patients, and its long-term viability at risk.

The ROI Trap in Healthcare Cybersecurity

Traditional ROI models work well for revenue-generating investments. A new imaging device, an expanded service line, or a marketing campaign are all expected to increase revenue. Cybersecurity doesn’t fit neatly into that framework.

You don’t buy MFA to make money. You don’t deploy endpoint protection to increase patient volume. You don’t invest in backups expecting them to “pay for themselves.”

Instead, cybersecurity is about risk reduction, continuity, trust, and resilience. All outcomes that are harder to quantify. That is, until they’re gone.

When leaders insist on a clear, immediate ROI before approving security controls, three things usually happen, and none of them are good for the business.

Basic protections get delayed or rejected

Security becomes reactive instead of proactive

Risk quietly accumulates across the organization

And in healthcare, accumulated cyber risk doesn’t stay theoretical for long.

Cybersecurity Is Already a Core Business Function

Healthcare practices don’t exist without technology anymore. EHRs, billing platforms, imaging systems, scheduling software, remote access, and connected medical devices are foundational to daily operations. If any one of them were to suddenly disappear, the practice would be hurt immeasurably. That means cybersecurity is no longer “IT overhead.” It directly enables:

Patient safety — system availability and data integrity for things like diagnostics, medication tracking, treatment

Operational continuity — avoiding disruptions and downtime, or completely cancelling care

Regulatory compliance — HIPAA, PCI-DSS, cyber insurance requirements

Revenue protection — includes billing continuity and claims processing

Organizational reputation and trust — One of the most valuable assets a practice has, and which takes years to build

When systems go down, clinics stop seeing patients. When data is breached, trust erodes instantly. When ransomware hits, recovery costs far exceed any “savings” from skipped controls. Cybersecurity isn’t adjacent to the business. It's part of the business.

The Hidden Costs Leaders Don’t Model

Ironically, leaders who fixate on ROI often overlook the most expensive outcomes. These are the things like operational downtime, and can be measured in days or weeks.

Lost revenue from cancelled appointments and delayed billing begin adding up almost immediately. For an SME practice this could be tens to hundreds of thousands of dollars per day.

Incident response and forensic costs are not cheap, and these costs can also drag out into weeks while the practice attempts to recover.

And let's not forget the legal and regulatory exposure . More and more breached practices are getting sued by individual patients, and in the case of larger practices, class-action suits.

Just as your car insurance tends to go up after an accident, be prepared for increased cyber insurance premiums—or loss of coverage . And that's if you're covered for the incident at all. If it's discovered you did not complete necessary due diligence and didn't have basic safeguards in place, coverage may be denied.

Staff burnout during crisis recovery is also a very real thing. It's not uncommon for some staff to quit or resign during or after recovery.

And the loss of trust affects patient churn due to lost confidence.

These costs rarely appear in procurement discussions, but they dominate the balance sheet after an incident. A $30,000 security control that “doesn’t show ROI” often prevents a $500,000 disruption that no spreadsheet ever modeled.

Cost-Centered Thinking Leads to Fragile Decisions

When cybersecurity is viewed as a pure expense, organizations tend to buy the cheapest tool instead of the right one. And usually this is only to satisfy a compliance checkbox, not to build real protection.

These organizations also tend to skip employee training and testing because they don’t show immediate value. This is despite the fact that employees are the first lines of defense in any cybersecurity strategy, while also being the weakest link.

They also avoid layered defenses in favor of single-point solutions. Does this sound familiar, " We have a good firewall, so we're secure ."

And of course, improvements are postponed until something happens. That's the often heard " We've never been breached before " excuse.

These invariably create brittle environments that look acceptable on paper but fail under real-world pressure. This is especially true during phishing attacks, credential theft, or ransomware events. Healthcare attackers don’t need sophisticated exploits. They exploit underinvestment, fatigue, and gaps created by cost-only thinking.

Cybersecurity as a Business Enabler

Reframing cybersecurity changes decision-making entirely. When viewed as a business enabler, cybersecurity protects uptime, allowing uninterrupted patient care. It supports growth, mergers, and technology adoption. It stabilizes insurance and compliance posture.

These have the effect of enabling faster recovery when something does go wrong, which reduces leadership and staff stress during incidents.

And finally, when the practice is secure and resilient, it builds patient trust and brand credibility. This is the best marketing you can have.

Strong security doesn’t slow practices down. It allows them to operate with confidence. The most resilient healthcare organizations aren’t the ones spending the most. They’re the ones spending intentionally, aligning security controls with real operational risk instead of chasing theoretical ROI.

A Leadership Responsibility, Not a Line Item

Ultimately, cybersecurity decisions in healthcare aren’t financial exercises alone. They are leadership decisions. Leaders don’t ask for the ROI of fire suppression systems, emergency exits, or sterilization protocols. They invest because the consequences of failure are unacceptable. Cybersecurity belongs in that same category.

For SME healthcare leaders, the question shouldn’t be, “What’s the ROI if we buy this?”

It should be, “What happens to our patients, staff, and practice if we don’t? ”

Because in healthcare, the true cost of cybersecurity isn’t what you spend. It’s what you risk when you don’t.

Big Changes Are Coming To HIPAA

Fri, 23 Jan 2026 15:37:23 GMT

The “Wait and See” Cybersecurity Mindset Is the Biggest Risk Facing SME Healthcare Providers

Mon, 12 Jan 2026 14:24:58 GMT

MFA Can No Longer Wait

After years of working with small and mid-sized healthcare providers, one pattern shows up again and again: cybersecurity investments are deferred until something bad happens. Tools like multi-factor authentication (MFA) are viewed as optional, inconvenient, or “something we’ll get to later.” Even when MFA is explicitly required by PCI-DSS, strongly encouraged by cyberinsurance carriers, and recommended by every major security framework, many organizations still take a wait-and-see approach.

In healthcare, that mindset is no longer just risky—it’s dangerous.

Compliance Isn’t the Real Reason to Act (But It’s the First Warning)

Let’s be clear: MFA is not a “nice to have.” It is already required under PCI-DSS for systems that touch payment card data. Cyberinsurance providers increasingly mandate it as a condition of coverage. HIPAA enforcement is also moving in a direction where basic security controls—like MFA—are no longer implied best practices but expected safeguards.

Yet compliance alone rarely motivates meaningful change. Too often, organizations implement controls just enough to pass an audit, check a box, or satisfy an underwriter. When MFA is framed purely as a compliance requirement, it becomes something to resist rather than something to embrace.

That’s a mistake.

The Reality: Most Healthcare Breaches Don’t Start With Advanced Attacks

There’s a persistent myth that cyber breaches are the result of highly sophisticated attackers using zero-day exploits. In reality, most healthcare breaches begin in much simpler ways:

Stolen or reused passwords
Phishing emails that harvest credentials
Compromised remote access accounts
Exposed email inboxes

In these scenarios, MFA is often the single control standing between an attacker and full access to systems containing ePHI.

When MFA is in place, a stolen password alone is usually not enough to cause a breach. When MFA is missing, the attacker is already halfway in the door.

Why “We Haven’t Been Breached Yet” Is a False Sense of Security

Many SME healthcare leaders say some version of: “We haven’t had an incident yet, so the risk must be low.” In cybersecurity, this logic is deeply flawed.

Not being breached is not the same as being secure. It often means:

You haven’t detected the breach yet
You haven’t been targeted yet
You’ve been lucky

Healthcare is a high-value target precisely because organizations are under-resourced, operationally stretched, and hesitant to introduce friction into clinical workflows. Attackers know this. They count on weak authentication because it consistently works.

MFA Is Not About Perfection—It’s About Prevention

Cybersecurity is not about eliminating all risk. It’s about reducing risk to a level where common attacks fail.

MFA does exactly that.

It doesn’t require a massive security program.
It doesn’t demand a full-time security team.
It doesn’t stop clinicians from delivering care.

What it does is break the most common attack chain used against healthcare organizations today.

If an organization can only do one thing to improve its security posture, MFA should be at the top of the list.

The Cost of MFA vs. the Cost of a Breach

For SME healthcare providers, budgets are always tight. But this is where perspective matters.

The cost of implementing MFA is measurable, predictable, and relatively small.

The cost of a breach is not.

A single incident can result in:

Operational downtime
Patient care disruption
Regulatory investigations
Legal and notification costs
Loss of patient trust
Increased insurance premiums—or loss of coverage altogether

Many breaches that make headlines could have been prevented with basic MFA deployment on email, remote access, and administrative accounts.

HIPAA Is Catching Up to Reality

Historically, HIPAA has been criticized for being vague about “reasonable and appropriate safeguards.” That ambiguity is disappearing. Enforcement actions increasingly point to the absence of basic security controls as evidence of noncompliance.

In other words, “we didn’t think we needed it yet” is becoming harder to defend.

Organizations that delay MFA implementation are not just behind best practices—they are exposing themselves to regulatory, financial, and operational risk that leadership may not fully appreciate until it’s too late.

Leadership Must Reframe the Conversation

The resistance to MFA is rarely technical. It’s cultural.

Leaders worry about:

User complaints
Workflow disruption
Adoption challenges

But the real leadership question should be this:
Are we willing to accept preventable risk to avoid short-term inconvenience?

Healthcare organizations routinely manage complex clinical workflows, regulatory requirements, and patient safety protocols. Adding MFA is not beyond their capability—it simply requires prioritization.

The Bottom Line

MFA should not be implemented because:

An auditor asked for it
An insurer demanded it
A regulation may soon require it

It should be implemented because it is the most effective first step in preventing a breach.

For SME healthcare providers, cybersecurity does not start with advanced tools or massive investments. It starts with foundational controls that stop the most common attacks cold.

The wait-and-see approach has run out of time.
The cost of waiting is no longer hypothetical.

If you want to prevent a breach, MFA is not optional—it’s essential.

Leadership Blind Spots in Cybersecurity

Mon, 29 Dec 2025 20:06:14 GMT

“I Thought IT Had That Covered”

There’s a phrase I hear far too often when speaking with executive teams after a security incident:

“I thought IT was handling that.”

Sometimes it’s said with frustration.
Sometimes with surprise.
Almost always with regret.

This assumption—that cybersecurity risk is owned, understood, and controlled somewhere deep inside the IT department—is one of the most dangerous leadership blind spots organizations carry today.

And it’s not because leaders are negligent.
It’s because cybersecurity doesn’t look like other enterprise risks… until it’s too late.

The Comfort of Delegation

In most organizations, risk is visible:

Financial risk shows up in forecasts and audits
Legal risk shows up in contracts and litigation
Operational risk shows up in downtime and missed SLAs

Cyber risk, by contrast, is quiet when it’s managed just enough to avoid daily pain.

No alarms.
No flashing dashboards in the boardroom.
No broken windows—until suddenly, there are.

So leadership does what leadership is incentivized to do:
delegate technical complexity to technical teams.

That works— right up until it doesn’t.

Where the Blind Spot Actually Lives

The blind spot isn’t “leaders don’t care about cybersecurity.”

The blind spot is leaders assume cyber risk behaves like an IT problem , when in reality it behaves like:

Enterprise risk
Business continuity risk
Reputational risk
Patient safety risk (in healthcare)
Regulatory and personal liability risk

IT can implement controls.
IT cannot own the consequences.

That distinction matters more than most organizations realize.

“We’re Compliant” Is Not the Same as “We’re Resilient”

Another leadership trap: equating compliance with safety.

Passing an audit, checking a framework box, or producing a policy document creates a powerful—but often false—sense of security.

Compliance answers questions like:

Do we have a policy?
Did we perform a risk assessment?
Are controls documented?

Resilience answers different questions:

Can we operate during an incident?
Do leaders know who decides what under pressure?
Can we recover without improvisation?
Have we practiced failure?

Most breaches don’t happen because policies were missing.
They happen because decision-making collapsed when reality diverged from the plan .

The “Gray Zone” IT Can’t Fix Alone

Here’s where leadership engagement is irreplaceable:

Risk acceptance : What risks are we consciously taking—and why?
Prioritization : Which systems matter most to the business, not just IT?
Tradeoffs : What are we willing to slow down, restrict, or fund differently?
Crisis authority : Who can shut systems down, notify regulators, or communicate externally?

When these decisions are unspoken or assumed, IT is forced to guess.
And guessing is not governance.

Why This Blind Spot Persists

Even experienced executives fall into this trap because:

Cyber incidents feel hypothetical—until they’re personal
Metrics are often technical, not business-aligned
Success looks like “nothing happened”
Responsibility is diffuse, but blame is concentrated

Ironically, the better IT performs day-to-day, the more invisible the risk becomes.

Closing the Gap: What Leaders Must Own

Closing this blind spot doesn’t require becoming technical.

It requires intentional ownership :

Acknowledge cybersecurity as a leadership function , not an IT task
Demand business-level risk conversations , not tool updates
Tie cyber scenarios to operational and reputational impact
Rehearse incidents the same way you rehearse other crises
Empower security leaders with authority—not just responsibility

When leadership owns cyber risk, IT becomes exponentially more effective.

Final Thought

The most damaging cybersecurity failures rarely start with hackers.

They start with assumptions.

Assumptions that “someone else has it handled.”
Assumptions that compliance equals safety.
Assumptions that silence means security.

In today’s threat landscape, the greatest risk isn’t what IT missed—it’s what leadership never asked.

You Passed the Audit. Are You Ready for the Incident?

Thu, 18 Dec 2025 17:45:58 GMT

Passing the Audit Doesn't Mean You're Bulletproof

The practice passed its audit two months before the incident.

That detail comes up early in every post-incident conversation, usually with a mix of confusion and disbelief. The documentation was solid. The boxes were checked. Everyone felt confident.

And yet, when systems went down, that confidence evaporated in minutes.

Because audits don’t measure how an organization behaves under pressure. They measure how well it prepared for inspection.

Those are not the same thing.

What leadership thought the audit meant

For most SME healthcare leaders, an audit passing signals closure.

HIPAA? Covered.
Security program? Documented.
Risk? Managed.

It’s not an unreasonable assumption. Audits are expensive, time-consuming, and disruptive. When you pass one, it feels like you’ve earned a pause.

But audits validate evidence, not capability.

They confirm that policies exist. That controls are described. That responsibilities are assigned on paper.

They don’t test whether those controls work at 5:47 a.m. when phones are down and patients are already noticing.

What actually happened when things broke

When the incident hit, leadership wasn’t asking about compliance.

They were asking:

Who’s making the call right now?
How long will this realistically last?
What do we tell patients, partners, and staff?
At what point does this become a business problem, not an IT problem?

None of those questions are on an audit checklist.

The organization wasn’t careless. It wasn’t negligent. It simply hadn’t practiced operating without its systems.

And that gap is where disruption turns into crisis.

Why this hits SMEs harder than large enterprises

Large health systems can absorb confusion. SMEs can’t.

There’s less redundancy. Fewer decision layers. Smaller margins for error. When a system goes down, it’s not an inconvenience—it’s an operational threat.

In that environment, resilience isn’t about perfect security.

It’s about:

Clarity over who decides what
Practiced communication paths
Realistic recovery expectations
Knowing which operations matter first when everything can’t be restored at once

None of that shows up in an audit report.

Compliance isn’t the problem. Overconfidence is.

This isn’t an argument against audits or compliance. Those are necessary.

The danger is treating compliance as the finish line instead of the baseline.

Cyber-resilient organizations assume something will fail and plan accordingly. They don’t rely on documentation to carry them through a real-world incident.

They rely on rehearsed decisions.

The question every leader should ask

If this happened tomorrow, would your organization be relying on what’s written down—or on what’s been tested?

Because when the incident starts, the audit is already over.