Beyond compliance: The professional subset strategy to secure data
Improved security comes from a grounded, no-nonsense approach to risk that emphasizes verifiable, enforceable and adaptable practices.
Compliance often falls to the end of cybersecurity teams' investment line. Many organizations first direct resources toward reducing technical debt, strengthening active and structural defenses, preparing for potential incidents, and building headcount to support these efforts.
Healthcare operates in one of the most complex, high-risk digital environments, yet many organizations focus primarily on meeting baseline regulatory requirements, like HIPAA.
Chris Hughes, who writes a newsletter called Resilient Cyber, wrote a post last year entitled “Compliance Does Equal Cybersecurity — Just Not Elimination of Risk.” In it, he describes the tendency of some organizations to only address the baseline cybersecurity risk required. He also highlights the fact that compliance work is too static and manual, with which we heartily agree.
Without compliance frameworks, we would be in a much more vulnerable landscape than we are today. In healthcare, frameworks provide a structured approach to managing the wide-ranging complexity inherent in cybersecurity and risk management.
After being a HITRUST assessor for 14 years, our team has a common set of practices we help our clients execute, whether they are pursuing a HITRUST certification or a less-demanding NIST, HIPAA or other security risk assessment.
We call this a professional subset strategy — a grounded, no-nonsense approach to risk that emphasizes verifiable, enforceable and adaptable practices sized to an organization’s risk profile.
Facilitate independent and granular assessments
The first principle is simple: you can’t grade your own paper. Self-assessments have dominated healthcare cybersecurity for too long. They're easier, cheaper and more likely to produce comfortable results.
A credible independent assessment, especially one aligned with any of the risk management frameworks like HITRUST, NIST, CPGs and HIPAA, is not only more accurate but also more actionable. The best assessments aren’t just pass-or-fail exercises — they produce corrective action plans and enforce them over time. This provides a higher level of assurance if leaders dig beyond the required control questions by validating evidence of an organization’s actual adherence to a security control and practice.
NIST asks, “Are you adapting to threats?” HITRUST asks, “Have you closed the gap on this specific threat in this specific system with this specific evidence?” An organization can absolutely apply the HITRUST version of this question during a NIST assessment to help ensure both frameworks are adequately addressed.
Organizations should rely on precision and avoid ambiguity. And never let convenience dilute the rigor of your risk profile.
Align legal and security teams on vendor risk
One scenario occurs when a legal team signs off on a vendor contract with broad limitations on liability, while the security team evaluates a questionnaire from that same vendor and gives it a green light. Too often, no one connects the dots.
This disjointed approach to third-party risk is one of healthcare’s most overlooked vulnerabilities in terms of cybersecurity posture.
Vendors often operate under license agreements that cap liability, reduce damages in general, and direct damages in the event of a data breach. While these terms may be sound from a legal or financial perspective, they do little to protect patients or to prevent the reputational damage that follows a breach.
The fix requires bringing the security and legal teams together at the front end. For top-tier vendors, enter into a broader data protection agreement that goes beyond basic HIPAA-specific breach categories. Risk must be understood across both vectors: technical security and contractual liability.
Surface the exceptions
The CISO doesn’t control everything. In many cases, they’re responsible for systems and endpoints owned by other departments.
Each exception only chips away at the integrity of the whole. One vulnerable pathway can render a thousand secure pathways irrelevant.
That’s why sunlight is such a powerful disinfectant. CISOs benefit from platforms and processes that track and report exceptions, in addition to all other risks, to promote transparency and provide the executive team with a comprehensive view of organizational risk.
It’s one thing to say, “We’re secure.” It’s another to say, “We’ve got 37 active exceptions. Here’s the risk management calculus. Here’s what we recommend.”
Move from tools to team sport
Healthcare executives often treat cybersecurity as an IT function. But tools don’t secure systems — people and culture do.
We must shift the conversation from technical jargon to business risk. When we review an organization’s cybersecurity posture with its leadership, I lead with data: “Here are the last five breaches among hospitals of your size. Here's what failed. Here's a gap that we just identified. Here’s the cost to fix it.”
Because at its core, cybersecurity in healthcare isn’t just about reducing breach likelihood. It’s about managing liability, preserving care continuity and protecting public trust. And that’s everyone’s job.
George Pappas is CEO of Intraprise Health by Health Catalyst, where he is leading a strategic transformation to deliver integrated cybersecurity solutions across the healthcare ecosystem.