If you’ve ever wondered what it’s like to scream into the cybersecurity void, this episode might feel oddly relatable. We dive into why “bare minimum” isn’t a security strategy—it’s more like playing Russian roulette with your data. From regulatory head-scratchers to the harsh reality that a “bare minimum” security strategy is about as effective as locking your front door while leaving the windows wide open, this episode is your wake-up call, packed with sharp insights, analogies involving go-karts on the interstate, and the occasional frustrated sigh.
In this episode:
Bare Minimum Isn’t a Security Strategy – Ep 495
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Bare Minimum Isn’t a Security Strategy
[05:11] With the NPRM on hold and a new administration in charge, many healthcare organizations are taking a “wait and see” approach. But doing the bare minimum is exactly what got us to this point. In this episode, we discuss why voluntary compliance measures—like HICP, recognized security practices, and the HPH Cybersecurity Practices Guidelines—aren’t just recommendations; they’re your best defense against stricter regulations. Let’s discuss why acting now gives you flexibility and how waiting could cost you more in the long run.- NPRM is stalled with the new administration, and the industry is crossing its fingers for a rollback.
- This “bare minimum” mindset is why stricter regulations are being proposed in the first place.
- “Let’s stop pretending doing the least possible is a strategy—it’s not. It’s a gamble, and frankly, it’s one we’re losing.”
[20:02] A Look Back: The Tools Were Always There
- 2019: HICP – Scalable, voluntary cybersecurity practices tailored for healthcare. Ignored by most.
- 2021: Recognized Security Practices Amendment – Incentives to follow practices like HICP (penalty reduction for breaches), but many still passed.
- 2024: HPH Cybersecurity Practices Guidelines – Built on HICP to offer more practical tools for different organization sizes. Still voluntary, still underused.
- 2025: NPRM – A stricter response to years of non-action.
- Takeaway: The industry has been given tools to prevent stricter regulations, but widespread adoption hasn’t happened.
Bare Minimum Isn’t Enough (And Never Was)
- Doing the least is the most dangerous:
- Cyberattacks won’t wait for the NPRM to get reversed.
- OCR won’t be lenient on breaches just because you were “waiting it out.”
- Every ignored framework or underused tool pushes the government closer to mandatory rules.
[27:05] Do the Work Now (While You Have Flexibility)
- Voluntary compliance is the smarter play:
- Frameworks like HICP let you define “reasonable” and “appropriate” based on your organization’s size and complexity.
- Stricter regulations will take away that flexibility—don’t wait to be told exactly what to do.
- Immediate actions:
- Adopt recognized security practices (HICP and HPH CPGs).
- Conduct a Security Risk Assessment (SRA): It’s your baseline for compliance and cybersecurity. But, make sure you are doing it properly. If you do it wrong everything else will be based on incorrect information.
- It has always been the number one thing done wrong and that isn’t changing. There are videos, guide books, fact sheets and more. Nothing has worked. The big chunk of the NPRM is all about that problem and everything that has been tried.
- Document everything: Proof of compliance matters as much as the work itself. Not only does it help in a compliance setting but more importantly it will help you know what is going on now when you look back 2 or 3 years from now – or even 6 years from now.
- One more thing – it helps those who come after you to know what was done, by whom and why they did it. That means much better long term protections and less chance for incorrect assumptions.
Take Action Prevent More Regulations
- Make the NPRM be your call to action
- “The bare minimum isn’t going to save you from breaches or stricter rules. Voluntary doesn’t mean optional—it means it’s your chance to act before someone else decides for you.”
- Compliance isn’t just about checking boxes—it’s about protecting patient data and avoiding unnecessary regulatory pain. Seems like someone should make a tagline about that….
At the end of the day, cybersecurity isn’t a “set it and forget it” kind of deal. It’s more like caring for a houseplant—ignore it, and things wilt fast. The difference? A dead plant won’t cost you millions in data breaches. So, ditch the bare minimum mindset, embrace a proactive approach, and remember: the bad guys aren’t waiting for you to get your act together. But hey, at least now you’ve got some solid analogies to explain it to your team.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
