1. IT & Cybersecurity Insights
  2. HIPAA Isn’t Enough: Four Cybersecurity Measures It’s Missing

HIPAA Isn’t Enough: Four Cybersecurity Measures It’s Missing

Jun 19, 2025 9:37:23 AM

  1. IT & Cybersecurity Insights
  2. HIPAA Isn’t Enough: Four Cybersecurity Measures It’s Missing

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 to protect patient records. Since its inception, HIPAA has gone through multiple major changes to strengthen its requirements, with the most recent being in 2013. Since HIPAA is a robust and legally upheld standard, is it safe to say that patient records are safer than ever? Unfortunately, we would have to say no. 

At its foundation, this act and its principles are vital; however, when taking a closer look at how HIPAA protects this information, especially in the electronic space, it’s clear that additional security measures are non-negotiables.

How HIPAA Protects Patient Records

HIPAA standardizes the way in which doctors, hospitals, insurance companies, and other healthcare-related entities can use and share individuals’ medical information. Organizations must put basic security measures in place to limit access to patient records to only those who are allowed to view or use it. 

For patients, this gives them the right to request a copy of medical records, and, in theory, rest assured that those records have only been seen by permitted parties. If their information is shared with anyone without permission, patients must be notified, and responsible parties are held accountable.

When your information is stored electronically, which is typically the case, healthcare entities must utilize secure passwords, encryption, and overall limited access. Though this sounds like their bases are covered, there are many layers of cybersecurity best practices that are missing from HIPAA standards to secure electronic protected healthcare information (ePHI). 

What Cybersecurity Measures are Missing from HIPAA Standards?

Though HIPAA’s baseline standards put a few best practices in place (complex passwords and encryption, for example), there are several crucial measures that are missing. Cybersecurity standards have become much more complex since HIPAA’s last change in 2013. The Act’s ePHI protection already started at a lower-than-needed level, but in the last decade, cyber criminals have become incredibly more sophisticated. 

What is missing from HIPAA’s baseline? Here are a few important cybersecurity measures that are not part of the Act’s standards: 

  1. Multi-Factor Authentication (MFA): HIPAA requires that access controls are in place, which are set to ensure that only those with access credentials can view a record (think username and password). It does not, however, require multi-factor authentication (MFA). MFA puts multiple types of authentications into place so that a bad actor does not simply need one’s login credentials to access information. Instead, it puts another piece in place that someone else would not have access to. This additional authenticator might be a device, like your phone, or a biometric, like a fingerprint. Having multiple methods of authentication is the most secure way to protect information.
  2. Penetration Testing: HIPAA requires organizations to conduct a risk analysis, but it does not require regular penetration testing, which is a simulated attempt to penetrate a system. This form of ethical hacking allows entities to see how easy or difficult it is for someone from the outside to break into their information. 
  3. Network Segmentation: HIPAA does not require network segmentation, which would allow the isolation of vulnerable systems (a piece of medical equipment, for example) so that if a vulnerability is exploited, the attack does not permeate throughout the organization’s entire network.
  4. Continual Security Awareness Training: Though HIPAA requires annual security training, it does not require essential training throughout the year. A best practice might look like phishing scam simulations, where the organization’s IT department sends a fake phishing email to employees to see who can identify it as phishing and report it, and who clicks on the link and therefore needs additional training. 


The risk for each of these is significant because, without them, hospitals become vulnerable to opportunists who know that hospitals house valuable information that they can exploit for money.

In Short: Compliance Does Not Equate to Security


What we learn from the discrepancies between HIPAA’s lacking cybersecurity standards and current best practices is that compliance isn’t enough. Checking the boxes that HIPAA requires does not mean that ePHI is protected from criminals looking to exploit healthcare organizations’ vulnerabilities. 

With that information, it’s important that healthcare leadership takes security seriously, beyond HIPAA, because it is a step toward preventing a cybersecurity attack that costs organizations’ time, money, and reputation. 

Contact Blue Pioneer Consulting to Schedule a Consultation


Blue Pioneer Consulting is here to listen to your concerns. We know the pressure that organizations are under to protect their information from cyber criminals, not only to protect patients but also to protect precious time and resources from being derailed by an attack. 

Contact us to schedule a consultation to learn more about how we can help you put your mind at ease.