Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
Why Small and Mid-Sized Providers Are the New Target
Small and mid-sized healthcare providers are now the primary target of ransomware and credential-harvesting campaigns, and the HHS Office for Civil Rights (OCR) has built an enforcement initiative around it. In October 2024, OCR opened its Risk Analysis Initiative with a $90,000 settlement against Bryan County Ambulance Authority in Oklahoma, a small county-owned EMS provider whose ransomware incident encrypted the ePHI of 14,273 patients. The signal to operators running clinics in Florida, Texas, Tennessee, and Arizona was unambiguous: size is no longer a shield.
The breach data lines up with what AHS sees in the field. OCR logged 725 large healthcare data breaches in 2024, the third straight year above 700, and large breaches involving ransomware are up 264% since 2018. The FBI’s Internet Crime Complaint Center (IC3) ranks healthcare and public health as the most-targeted critical infrastructure sector for ransomware. Most of the behavioral health and outpatient operators we work with do not have a 24/7 security operations center. They have an IT generalist, a legacy EMR, and a business associate stack nobody has fully inventoried.
That gap is now an enforcement problem, not just a security problem. OCR’s Tim Heesters put it plainly in late 2025: “Policies and procedures alone are not sufficient evidence of security measure implementation.” Translation: if your last risk analysis sits in a binder and nobody has acted on it, you are exposed to OCR, to state attorneys general under state breach laws, and to CMS Conditions of Participation reviewers who increasingly ask about cyber resilience.
Where to Find Healthcare-Grade Managed Detection and Response
Managed detection and response, or MDR, has become the practical substitute for a real SOC at clinics that cannot staff one. For behavioral health and primary care groups, MDR has to be built around PHI workflows and clinical uptime, not generic enterprise IT.
Three places to look. First, healthcare-focused MSSPs that work only in HIPAA-regulated environments and bundle MDR with compliance reporting and breach response. Second, national MSSPs with a healthcare vertical, which usually need a compliance overlay before they map cleanly to OCR and CISA expectations. Third, MSO-aligned advisory firms (where AHS sits) that fold MDR into the broader operational risk program.
The mistake we see most often: operators buy monitoring and call it compliance. It is not. The HIPAA Security Rule requires that identified risks feed into risk management, policy updates, workforce training, and board-level reporting. A SIEM dashboard nobody reviews does not satisfy 45 CFR § 164.308. Operators in Georgia and North Carolina have learned this the expensive way during OCR investigations that surfaced 18-month-old findings nobody had remediated, and during DEA inspections at OTPs where downtime procedures for controlled-substance dispensing could not be produced.
How to Choose Cybersecurity Services for a Healthcare Operator
HIPAA does not tell you which tools to buy. OCR tells you to apply reasonable and appropriate safeguards to your size, complexity, and risk profile. Your evaluation framework has to produce defensible documentation, not just technical sophistication.
Three filters worth using. One: documented risk analysis tied to the Security Rule. A Shook Hardy & Bacon review of OCR enforcement actions since 2024 found inadequate risk analysis cited in 13 of 20 matters, the single most common violation. Clearwater’s analysis of OCR Security Rule cases puts the figure even higher, with inadequate risk analysis involved in roughly 90% of Security Rule enforcement actions. If your vendor cannot produce audit-grade risk analysis documentation, you have bought a tool, not a program.
Two: incident response maturity with healthcare reps. Breach notification timing, forensic preservation, and the 60-day clock under 45 CFR § 164.408 are regulated activities. Joint Commission and CARF surveyors now routinely ask for cyber incident response evidence during EOC tours and information management reviews. Require tabletop exercises, written playbooks, and a defined coordination path with outside counsel and your compliance officer. Three: scalability without redesign. Clinics that add telehealth, open a Florida site, or fold in an acquisition need MDR and vendor risk management that absorbs the change. We have watched operators rip out three security stacks in 18 months because nobody asked the scaling question up front.
What Best-in-Class HIPAA Cybersecurity Looks Like
The market is crowded and quality varies wildly. The vendors that hold up under OCR scrutiny share a profile: they understand clinical workflows, EMR architecture, and payer connectivity, and they can point to actual experience supporting OCR audits, state attorney general inquiries, SAMHSA 42 CFR Part 2 reviews, and payer security attestations.
Federal guidance backs the governance-over-tools framing. The HHS 405(d) Health Industry Cybersecurity Practices (HICP), developed by the HHS-led 405(d) Task Group with CISA input, exists specifically to give small, medium, and large healthcare organizations a tiered, threat-based playbook. Adopting HICP is voluntary, but under Public Law 116-321, OCR is required to consider whether a regulated entity had recognized security practices in place for the prior 12 months when calculating fines and audit scope. That is real money. The IBM and Ponemon 2024 Cost of a Data Breach Report put the average healthcare breach at $9.77 million, the costliest sector for the 14th year running.
What this means for an operator: be skeptical of any firm promising HIPAA compliance through software alone. AHS works as an MSO-aligned advisor, helping behavioral health and outpatient operators in states like Florida, Texas, and Tennessee select, govern, and operationalize cybersecurity programs without building a security team they do not need. The deliverable is defensible posture against OCR, CMS, and state licensing boards, not a logo wall of tools.
Building an Operating Model That Holds Up Over Time
Cybersecurity in healthcare is an operating-model question. Operators who treat it as a one-time project fall behind both threats and regulators. The behavioral health groups that hold up year over year embed security into their compliance governance, their budget cycle, and their clinical leadership accountability.
OCR, CISA, and the FBI have all made the patient-safety framing explicit. The 405(d) HICP literature describes itself as guidance to “prepare and fight against cybersecurity threats that can impact patient safety.” That framing pushes oversight up to boards, medical directors, and compliance committees. Civil money penalties for willful neglect under HIPAA now reach $73,011 per day, per violation, with the annual single-tier cap above $2.1 million. Those numbers will end small operators, and they sit alongside DOJ False Claims Act exposure when cyber failures touch federal payer billing integrity.
AHS designs cybersecurity programs that scale with the operator, right-sizing MDR, folding security metrics into quality and compliance dashboards, and tying the program to payer readiness and SIU audit expectations. Margin pressure is real. Surveyor focus from Joint Commission and CARF is real. OCR enforcement is real. Operators who treat security as core infrastructure protect all three at the same time.
Frequently asked questions
What is the OCR Risk Analysis Initiative, and does it apply to small clinics?
OCR launched the Risk Analysis Initiative in October 2024 to focus investigations on the HIPAA Security Rule’s risk analysis requirement at 45 CFR § 164.308(a)(1)(ii)(A). The first action was a $90,000 settlement with a county ambulance authority in Oklahoma that served a small population. The initiative applies to every covered entity and business associate regulated by HHS OCR, regardless of size, and OCR has since expanded it to cover risk management, meaning what you actually did about the risks you found.
What does an average healthcare data breach actually cost?
The IBM and Ponemon 2024 Cost of a Data Breach Report put the average healthcare breach at $9.77 million, the costliest of any industry for the 14th consecutive year. For a small or mid-sized clinic, that figure is existential, which is why OCR-defensible documentation and a working MDR program matter more than any single tool.
Is HHS 405(d) HICP a safe harbor against OCR penalties?
Not a safe harbor, but it matters. Public Law 116-321 requires HHS to consider whether a regulated entity had recognized security practices, including HICP developed with CISA input, in place for at least 12 months prior to an OCR investigation. That can reduce fines, shorten audits, and limit corrective action plan length. It does not eliminate liability and does not bind DOJ in a False Claims Act matter.
What is the most common HIPAA violation cited in recent OCR enforcement actions?
Inadequate or missing risk analysis. Across publicly reported OCR enforcement actions since the start of 2024, inadequate risk analysis was the most frequently cited violation, appearing in roughly two-thirds of cases reviewed, and historically has been involved in approximately 90% of Security Rule enforcement actions. If your risk analysis is more than a year old, does not cover your full ePHI environment, or has no documented mitigation follow-through, that is the first thing OCR surveyors will find.
References
- HHS OCR, Bryan County Ambulance Authority Settlement (Oct. 31, 2024)
- HHS, HIPAA Security Rule (45 CFR Part 164, Subpart C)
- HHS 405(d), Health Industry Cybersecurity Practices (HICP) 2023 Edition
- IBM & Ponemon Institute, Cost of a Data Breach Report 2024
- HIPAA Journal, 2024 Healthcare Data Breach Report
- Feldesman LLP, OCR Risk Analysis Initiative: First Six Months
- Shook, Hardy & Bacon, OCR Enforcement Activity: Trends and Insights (March 2025)
- Clearwater, HIPAA Security Rule Enforcement: Where Things Stand in 2026