Every year, the U.S. Department of Health and Human Services publishes a “wall of shame,” a public list of healthcare data breaches affecting 500 or more individuals. In 2025 alone, hundreds of organizations appeared on that list, many of them small practices and mid-sized healthcare companies that assumed their IT security was good enough. The reality is that HIPAA compliance isn’t just a checkbox exercise. It’s an ongoing technical commitment, and the organizations that treat it otherwise tend to learn that lesson the hard way.

The Gap Between Policy and Practice

Most healthcare organizations have some form of HIPAA compliance documentation sitting in a binder or shared drive somewhere. They’ve written policies about data handling, access controls, and breach notification. On paper, everything looks fine.

The problem shows up in the IT infrastructure. Written policies mean nothing if the technology behind them doesn’t actually enforce the rules. A policy that says “only authorized personnel may access patient records” falls apart when the network lacks proper role-based access controls, when former employees still have active credentials, or when the entire office shares a single login for their EHR system. These aren’t hypothetical scenarios. They’re findings that come up repeatedly in HIPAA audits and breach investigations across the healthcare sector.

Common IT Security Gaps in Healthcare Settings

Several technical vulnerabilities appear over and over again in healthcare organizations, particularly smaller practices and clinics that don’t have dedicated IT security staff.

Unencrypted data at rest and in transit. HIPAA’s Security Rule requires covered entities to implement encryption mechanisms where appropriate. Yet many organizations still store patient data on unencrypted drives or transmit it over unsecured connections. This is especially common with older systems that were set up before current encryption standards became the norm. A stolen laptop with an unencrypted hard drive can turn into a reportable breach overnight.

Poor patch management. Healthcare IT environments often include a mix of modern cloud applications and legacy systems that haven’t been updated in years. Unpatched software is one of the most common attack vectors for ransomware, which has become the single biggest cyber threat facing healthcare organizations. The 2024 Change Healthcare breach demonstrated just how devastating a single ransomware attack can be to an entire healthcare supply chain.

Inadequate backup and recovery planning. HIPAA requires contingency planning, including data backup, disaster recovery, and emergency mode operations. Many organizations back up their data but have never actually tested whether they can restore it. When ransomware hits and production systems go down, discovering that backup tapes are corrupted or incomplete is a nightmare scenario that plays out more often than it should.

The Human Element

Technology gaps are only part of the picture. Phishing remains the top initial attack vector in healthcare breaches, and it exploits people rather than systems. Staff members who haven’t received regular security awareness training are far more likely to click a malicious link or open a compromised attachment. HIPAA doesn’t explicitly mandate security training frequency, but the Office for Civil Rights has made it clear through enforcement actions that annual training alone often isn’t sufficient. Quarterly training sessions with simulated phishing exercises have become the standard recommendation among cybersecurity professionals working in healthcare.

Risk Assessments Aren’t Optional

If there’s one HIPAA requirement that gets neglected more than any other, it’s the Security Risk Assessment. The Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). This isn’t a suggestion. It’s a regulatory requirement, and failure to perform one has been a factor in numerous OCR enforcement actions and settlement agreements.

A proper risk assessment goes beyond running a vulnerability scan. It involves identifying where ePHI lives across the entire organization, mapping how it flows between systems and users, evaluating the threats to each of those touchpoints, and determining whether existing controls adequately mitigate those risks. For organizations in the Long Island, New York metro area and surrounding regions like Connecticut and New Jersey, state-level privacy regulations can add additional layers of complexity on top of federal HIPAA requirements.

Many cybersecurity professionals recommend conducting these assessments annually at minimum, and revisiting them whenever there’s a significant change to the IT environment, such as migrating to a new EHR platform, adopting cloud services, or opening a new office location.

Business Associates and the Extended Risk Surface

Healthcare organizations often focus their security efforts inward while overlooking the risks introduced by their vendors and partners. Under HIPAA, any entity that handles ePHI on behalf of a covered entity is classified as a business associate, and the covered entity is responsible for ensuring those relationships are governed by Business Associate Agreements.

But a signed BAA doesn’t guarantee security. The IT services provider managing a practice’s network, the cloud platform hosting patient records, the billing company processing claims, the shredding service destroying old paper records: each one represents a potential point of failure. Smart healthcare organizations don’t just collect signed agreements. They vet their business associates’ security postures and periodically review whether those partners are holding up their end of the compliance bargain.

The NIST Framework Connection

Organizations looking for a structured approach to HIPAA IT security increasingly turn to the NIST Cybersecurity Framework as a foundation. HHS has explicitly mapped HIPAA Security Rule requirements to NIST framework controls, making it a natural fit for healthcare environments. The framework’s five core functions, Identify, Protect, Detect, Respond, and Recover, align well with what HIPAA expects from covered entities.

This approach is particularly useful for healthcare organizations that also handle government contracts or serve federal agencies, since NIST compliance often overlaps with other regulatory requirements like DFARS and CMMC. Building a security program on NIST principles can help organizations satisfy multiple compliance frameworks simultaneously rather than treating each one as a separate project.

Continuous Monitoring Over Point-in-Time Compliance

One of the biggest shifts in healthcare IT security thinking over the past few years has been the move away from point-in-time compliance toward continuous monitoring. The old model of performing an annual risk assessment, updating some policies, and calling it done until next year simply doesn’t hold up against the current threat landscape. Ransomware groups don’t wait for audit season.

Continuous monitoring means having real-time visibility into network activity, automated alerting for suspicious behavior, regular vulnerability scanning, and ongoing log analysis. For small and mid-sized healthcare organizations that can’t justify a full-time security operations center, managed IT and cybersecurity services have become a practical alternative. These arrangements provide around-the-clock monitoring and incident response capabilities without the overhead of building an in-house security team from scratch.

Getting Started on the Right Foot

Healthcare organizations that want to strengthen their HIPAA IT security posture don’t need to overhaul everything at once. A few high-impact starting points can make a significant difference.

First, conduct a current-state Security Risk Assessment if one hasn’t been completed in the past 12 months. This provides the baseline for everything else. Second, implement multi-factor authentication across all systems that touch ePHI. MFA alone can prevent a large percentage of unauthorized access incidents. Third, review and test backup and disaster recovery procedures. Don’t just verify that backups are running. Actually restore from them and confirm the data is intact and usable.

From there, organizations can address encryption gaps, tighten access controls, formalize their incident response plans, and build out a training program that keeps staff engaged and aware throughout the year.

HIPAA compliance and genuine security aren’t the same thing, but they’re not in conflict either. Organizations that build their IT security programs with both regulatory requirements and real-world threats in mind will find themselves better protected on both fronts. The ones that treat compliance as paperwork and security as someone else’s problem are the ones that end up on that wall of shame.