According to CXO Tech Magazine, cybersecurity emerged in the 1970s with Advanced Research Projects Agency Network (ARPANET), the precursor to the internet. The 1980s saw the rise of computer viruses and malware, indicating network vulnerabilities. The 1990s and early 2000s saw increased cyber threats, leading to the recognition of cybersecurity as a critical component of information technology. Today, cybersecurity encompasses network security, information security, operational security, and end-user education.
Strong cybersecurity compliance can help keep patient information safe and prevent costly breaches. However, a one-size-fits-all approach to cybersecurity compliance can be problematic with healthcare organizations ranging from large hospital systems to small medical practices and pharmacies.
Brent Hoard, partner in the Privacy + Cyber practice group, summed up the issue well: “On one hand, the HISAA would provide for consistent standards and a more proactive approach to address cybersecurity and breach risk (i.e., set the baseline). This approach is consistent with the proposed HIPAA Security Rule update’s move away from ‘addressable’ implementation specifications to requirements. On the other hand, health care is a diverse ecosystem. A large hospital system will have different needs than a small medical practice or pharmacy. Minimum security standards could result in under- or over-protection depending on an entity’s size, risk profile, data footprint, and other factors. The HISAA would also layer material administrative burdens on an already heavily regulated industry. To that end, the OCR has recently started to focus enforcement efforts on the existing risk analysis requirement under the Security Rule. I think enforcement of existing requirements, together with targeted modernization of the rule, would be a less onerous alternative.”
Hoard’s comments demonstrate a dilemma: while baseline standards help ensure that all healthcare organizations meet a certain minimum level of protection, they can’t account for every variation in size, budget, technology, and patient population.
The healthcare sector is a highly diverse ecosystem:
Applying the same cybersecurity rules to all healthcare organizations can backfire; some may spend too much on unnecessary protections, while others may not have enough safeguards in place.
Applying the wrong level of protection can be just as risky as not protecting data at all. Over-protection, investing in expensive, complex systems that exceed the organization’s needs, can drain financial and staffing resources that might be better spent elsewhere, such as on targeted training or essential patient care technology. Conversely, under-protection, implementing too few safeguards, leaves systems vulnerable to cybercriminals who can exploit those gaps to access sensitive patient information.
The numbers indicate how these risks play out differently across organization sizes: According to an article by Small Biz Trends, “about 1 in 40 small businesses are at risk of being the victim of a cyber crime. That pales in comparison to the 1 in about 2 large businesses which are targeted every year — multiple times — with a cyber attack.” In healthcare, this difference is amplified by the fact that large hospital systems hold large amounts of sensitive data and operate more complex networks. Small medical practices and pharmacies, on the other hand, often lack the resources, dedicated IT staff, or layered defenses to respond effectively when they are targeted. As stated in the study Cybersecurity Challenges in Healthcare, “large organizations usually have enough resources to provide effective cyber solutions from the market, but they are enriched with a huge amount of patient data and thus are a much bigger target for attackers. On the other hand, smaller organizations are a potential target for attacks due to [the] use of digital technologies, but usually they do not have enough budgets to invest in cyber security.”
This mismatch in resources and risks means that standardized, one-size-fits-all cybersecurity mandates could lead to smaller providers overspending on unnecessary systems while leaving larger entities underprepared for the sophistication and persistence of attacks they regularly face. The solution lies in tailoring security measures to an organization’s size, risk profile, data footprint, and operational complexity, ensuring protection without waste.
The HIPAA Security Rule requires that HIPAA-regulated entities “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” This process involves identifying, assessing, and prioritizing threats to electronic protected health information (ePHI).
A risk analysis should answer the following questions:
Tailoring cybersecurity compliance begins with understanding your organization’s size and risk profile, and then implementing measures proportionate to those factors.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
The Health Information Security and Accountability Act (HISAA) is proposed legislation designed to create consistent, proactive cybersecurity standards across healthcare. While it would set a clear baseline, critics caution that it may not account for the diversity of the healthcare ecosystem, potentially leading to both over- and under-protection.
It means evaluating your organization’s size, systems, data sensitivity, and threats, and then implementing the most effective safeguards for that unique profile. This ensures resources are focused where they matter most.
No. Tailoring doesn’t mean doing less; it means doing what’s most effective for your specific risk profile. Smaller organizations may focus on foundational protections, while larger ones implement more advanced safeguards. Both approaches aim to achieve strong security without unnecessary costs.