Cybersecurity as we know it began in the 1970s with the Advanced Research Projects Agency Network (ARPANET). Furthermore, the 1980s brought the first wave of computer viruses and malware, exposing vulnerabilities in connected systems. The 1990s and early 2000s saw increased cyber threats, leading to the recognition of cybersecurity as a critical component of information technology. Today, cybersecurity encompasses network security, information security, operational security, and end-user education.
Healthcare cybersecurity requires strong cybersecurity compliance, which can help keep patient information safe and prevent costly breaches. However, healthcare organizations differ widely in size, resources, and infrastructure, from large hospital networks to independent clinics and local pharmacies. This diversity means a uniform, “one-size-fits-all” approach to cybersecurity compliance often fails to address the specific risks and operational realities of each setting.
A large hospital network may run multiple facilities, employ thousands of staff, manage vast amounts of sensitive data, and operate complex, interconnected IT systems. In contrast, a small medical practice may have just a handful of employees, one location, and depend heavily on cloud-based tools or third-party vendors. Community pharmacies and specialty clinics fall somewhere in between, each with its own operational realities and compliance challenges.
When every organization is held to the same requirements, the results can be counterproductive. Some may overspend on unnecessary controls that don’t meaningfully reduce their risk, while others remain underprotected against the threats they are most likely to face.
Brent Hoard, partner in the Privacy + Cyber practice group, captures the tension well: “On one hand, the HISAA would provide for consistent standards and a more proactive approach to address cybersecurity and breach risk (i.e., set the baseline). This approach is consistent with the proposed HIPAA Security Rule update’s move away from ‘addressable’ implementation specifications to requirements. On the other hand, health care is a diverse ecosystem. A large hospital system will have different needs than a small medical practice or pharmacy. Minimum security standards could result in under- or over-protection depending on an entity’s size, risk profile, data footprint, and other factors. The HISAA would also layer material administrative burdens on an already heavily regulated industry. To that end, the OCR has recently started to focus enforcement efforts on the existing risk analysis requirement under the Security Rule. I think enforcement of existing requirements, together with targeted modernization of the rule, would be a less onerous alternative.”
This perspective indicates a common challenge: while baseline standards help ensure that all healthcare organizations meet a certain minimum level of protection, they can’t account for every variation in size, budget, technology, and patient population.
Applying the wrong level of protection can be just as risky as not protecting data at all. Over-protection, investing in expensive, complex systems that exceed the organization’s needs, can drain financial and staffing resources that might be better spent elsewhere, such as on targeted training or essential patient care technology. Conversely, under-protection, implementing too few safeguards, leaves systems vulnerable to cybercriminals who can exploit those gaps to access sensitive patient information.
The numbers indicate how these risks play out differently across organization sizes: According to an article by Small Biz Trends, “about 1 in 40 small businesses are at risk of being the victim of a cyber crime. That pales in comparison to the 1 in about 2 large businesses which are targeted every year—multiple times—with a cyber attack.” In healthcare, this difference is amplified by the fact that large hospital systems hold large amounts of sensitive data and operate more complex networks. Small medical practices and pharmacies, on the other hand, often lack the resources, dedicated IT staff, or layered defenses to respond effectively when they are targeted. As stated in the study Cybersecurity Challenges in Healthcare, “large organizations usually have enough resources to provide effective cyber solutions from the market, but they are enriched with a huge amount of patient data and thus are a much bigger target for attackers. On the other hand, smaller organizations are a potential target for attacks due to [the] use of digital technologies, but usually they do not have enough budgets to invest in cyber security.”
This mismatch in resources and risks means that standardized, one-size-fits-all cybersecurity mandates could lead to smaller providers overspending on unnecessary systems while leaving larger entities underprepared for the sophistication and persistence of attacks they regularly face. The solution lies in tailoring security measures to an organization’s size, risk profile, data footprint, and operational complexity, ensuring protection without waste.
According to the HIPAA Security Rule, HIPAA-regulated entities must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” This assessment involves identifying, assessing, and prioritizing threats to electronic protected health information (ePHI).
The risk analysis should answer the following questions:
Customizing cybersecurity compliance requires organizations to understand their organization’s size and risk profile and then implement measures proportionate to those factors.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
The Health Information Security and Accountability Act (HISAA) is proposed legislation designed to create consistent, proactive cybersecurity standards across healthcare.
Yes, but the approach differs. Small providers can achieve strong protection through risk-based measures, vendor solutions, and staff training without needing the complex infrastructure that large hospitals use.
No. Tailoring doesn’t mean doing less; it means doing what’s most effective for your specific risk profile. Smaller organizations may focus on foundational protections, while larger ones implement more advanced safeguards. Both approaches aim to achieve strong security without unnecessary costs.
Ignoring tailored compliance can lead to breaches, regulatory penalties, reputational damage, and operational disruption. It also leaves gaps that attackers are more likely to exploit.