Your HIPAA Deadline Is Coming Faster Than You Think. A Story Every Hospital Should Hear.
“Tell me this is overblown,” Jane, the Chair, said as she nervously fidgeted with her glasses.
A slide showing the Federal Register notice lit up the boardroom screen, and it looked a lot like a subpoena. Only three days had passed since the first email landed in the board’s inboxes. Now, no one at Little Valley Medical Center could pretend this was just another regulatory update. The subject line alone had already made a few board physicians check their blood pressure:
“Final HIPAA Security Rule Published. Effective in 60 Days. Full Compliance Required in 240. HIPAA Penalties Will Apply.”
“Nope, not a joke,” Daniel, the CEO, leaned back in his chair and exhaled loudly, clearly working to control his concern and embarrassment. “We let ourselves down here. We knew this was coming, we did not get in front of it, and our security partner did not really push us on it either.”
About five weeks earlier, the CEO and team learned about the upcoming deadline during an emergency briefing with a security partner. Since then, they had been scrambling to catch up.
The room fell quiet. Their three‑week‑tenured CISO, Alexis Ramirez, stood, and every eye turned to her.
“Short answer, we are not ready,” she said. “But we could be, if we move fast. Multifactor authentication everywhere. Encryption. Asset inventories. Pen tests. Incident response. Vendor crackdowns. All of it. We also need to do all this with no impact on providing excellent care to our patients”
From the NPRM
“The proposal would remove the distinction between ‘required’ and ‘addressable’ .. and make all implementation specifications required, subject only to specific, limited exceptions.”
Chapter 1: A Slow‑Motion Crash
Before Alexis joined, Little Valley did what many mid-size hospitals do: just enough to pass audits on a good day, but not enough for anyone who really understood the risks to feel comfortable.
IT begged for investments. Clinical leaders fought to avoid implementing anything they perceived as slowing them down. In fairness, they were right about one thing: fast and effective patient care was their number one priority.
Over time, this compromise led to a mix of half-finished technology projects and good intentions that never fully came together.
In a corner of the ER admitting area, tucked under a desk, was an old server with a Post‑it so worn it had been picked up and taped back on several times. It read “Important.” Nobody was sure why.
An account used by certain technicians was shared. The username “xray_technician” was used by over a dozen people and had never had its password changed. “We would lock ourselves out,” they explained.
Try as she might, Alexis could not find a risk assessment performed within the last three years. A new EHR system was installed two years ago. A risk assessment was discussed at the time, but never carried out.
There were policies, but hardly anyone knew where to find them. The SharePoint site was so neglected it might as well have been covered in dust.
From the NPRM
“Regulated entities would be required to maintain written documentation of all Security Rule policies, procedures, plans, and analyses..”
Little Valley had avoided major incidents mostly through luck. A ransomware campaign had swept through neighboring hospitals the previous year, but Little Valley had somehow escaped. Leadership took this as proof that they were “too small to bother with” and that their existing controls were sufficient.
Alexis did not believe in that kind of luck, and she knew better about “sufficiency.”
During her first walk through the server room, she noticed overloaded racks, mismatched labels, and a switch with a Post-it note that read, “Do not touch! Breaks lab!” It seemed like IT used Post-it notes as their main way to communicate.
“Do we know where all of our systems that hold patient data are?” she asked the IT manager, Priya.
Priya hesitated. “We know where most of them are.”
“That is not going to be good enough anymore,” Alexis said.
Chapter 2: The Outsider
Six months earlier, a resident had plugged a personal laptop into the network to print a research paper. Within a few minutes, suspicious outbound traffic set off alerts at Little Valley’s outsourced SOC. A misconfigured system allowed the device onto a sensitive network segment. The MSSP stepped in, contained it, and found no privacy impacts, but not before a tense weekend of log review and emergency calls.
The hospital was lucky. The incident easily could have become a headline moment.
The board decided they needed “a real cybersecurity leader.” That was Alexis. She had faced more upset executives than she could count, carried the scars of prior breaches, and had a valuable habit of listening longer than she spoke.
Even though she was new, Alexis already understood the politics. It was nothing out of the ordinary.
- Finance saw security as an expense,
- Clinicians saw security as friction,
- IT saw security as another demand on their time, with no extra staff.
And then there was Dr. Noah Pike.
Chapter 3: Noah
Every good story needs an antagonist. At Little Valley, this was Noah Pike.
In security terms, Dr. Pike was a walking threat.
Noah was not a cartoon villain with nefarious objectives. He was worse. He was a smart, charismatic director of a lucrative specialty clinic whose incentives were based on throughput and revenue, not security and compliance. “We have anti‑malware,” he told Alexis. “We are covered.”
From the NPRM
“The proposal would require encryption of ePHI at rest and in transit, with limited exceptions, and would require the use of multi‑factor authentication, with limited exceptions, for access to specified electronic information systems…”
Worse still, he had power. He ran one of the service lines that kept the hospital profitable. Patients loved him, and the board valued him.
He pushed back on access controls, insisted his staff needed exceptions to every policy, and had quietly signed his department up for a cloud‑based scheduling platform without involving IT.
When Alexis’ team discovered a stream of patient data flowing into that platform without a Business Associate Agreement in place, Noah brushed it off.
“We are helping patients,” he said. “The vendor says they are secure. Stop the bureaucracy. You are slowing me down, you hurt care.” Then came the knockout punch. “Do you want that on your conscience?”
It was a clever argument, and it had worked for years.
But the new rules changed that.
Chapter 4: The Clock Starts ….
We’re sharing this preview ahead of HIMSS Conference 2026, but the full story drops immediately after the conference. You won’t want to miss the complete, in‑depth version.
Author: Gerard Onorato, Chief Information Security Officer at RKON
Gerard Onorato I LinkedIn
