Insights

Blog

Highlighted Reading

Research May 10, 2026 Featured

Current and Expected Adjustments to Cybersecurity Compliance for a Healthcare-Sector Cybersecurity Startup

A research paper on why static, audit-cycle compliance no longer fits healthcare cybersecurity, and how a small startup operates compliance as a continuing capability.

Healthcare
HIPAA
AI
Cryptography
Compliance
Risk Management

Feed

Practical May 26, 2026

The FFIEC CAT Sunset: What Healthcare Can Learn from a Parallel-Sector Compliance Change

FFIEC sunsetted the Cybersecurity Assessment Tool on August 31, 2025. The transition to NIST CSF 2.0 and CISA CPGs is the cleanest recent template for dynamic compliance change.

Healthcare
Compliance
NIST
CSF 2.0
Strategy

Practical May 25, 2026

EO 14110 to EO 14179: Why Federal AI Policy Is an Unstable Compliance Anchor

EO 14110 set federal AI policy in October 2023. EO 14179 revoked it in January 2025. Compliance programs anchored to executive orders chased a moving target.

AI
Compliance
Healthcare
Strategy

Practical May 24, 2026

Cross-Border Health Data Flows: When HIPAA Is Not Enough Because the Data Crossed a Border

EU GDPR, UK GDPR, China's PIPL, and the EU AI Act all have extraterritorial reach. A U.S. healthcare vendor with international users or vendors is in multiple regimes at once.

Healthcare
Privacy
HIPAA
GDPR
Compliance

Practical May 23, 2026

Washington's My Health My Data Act and the Gap HIPAA Does Not Cover

HIPAA does not cover wellness apps, marketing analytics, or most consumer health data. Washington's MHMD Act does. With a private right of action.

Healthcare
Privacy
HIPAA
Compliance
State Law

Practical May 22, 2026

The 2024 HIPAA Reproductive Health Privacy Rule Was Mostly Vacated. What That Means for Your Program.

On June 18, 2025, a federal court vacated most of the 2024 HIPAA reproductive-health privacy rule. Many policies and notices still reference it as live. They should not.

HIPAA
Healthcare
Privacy
Compliance

Practical May 21, 2026

Reading the Compliance Status Legend: Why 'Emerging' Is a Useless Tag

Final, final guidance, voluntary, contractually binding, proposed, enacted-not-yet-effective, vacated. The legal weight of a rule changes everything about how you should treat it.

Healthcare
Compliance
Strategy
HIPAA
Risk Management

Practical May 20, 2026

IoMT Segmentation: Why FDA's 2026 Cybersecurity Guidance and NIST SP 800-82 Now Converge

Connected medical devices live on hospital networks where they were never meant to be. FDA's 2026 guidance, section 524B, and NIST SP 800-82 give the segmentation roadmap.

Healthcare
IoMT
Medical Devices
FDA
NIST

Practical May 19, 2026

FDA Predetermined Change Control Plans for AI-Enabled Medical Devices: What a PCCP Actually Is

FDA's August 2025 PCCP guidance lets AI-enabled medical devices iterate without resubmission. What a PCCP must contain, when it makes sense, and how it interacts with HIPAA.

Healthcare
AI
FDA
Compliance
Medical Devices

Practical May 18, 2026

CIRCIA 72-Hour Reporting for Healthcare: How It Layers on HIPAA, FTC HBNR, and State Breach Law

CIRCIA is not finalized, but healthcare incident response programs that wait until it is will not be ready. Here is how it stacks against HIPAA, state, and FTC notification.

Healthcare
HIPAA
Incident Response
Compliance
CIRCIA

Practical May 17, 2026

NIST CSF 2.0's Govern Function and What Healthcare Boards Now Have to Own

CSF 2.0 added Govern in February 2024. It moves cybersecurity from an IT topic to a board-level enterprise risk responsibility. Healthcare boards are still catching up.

Healthcare
NIST
CSF 2.0
Governance
Risk Management

Practical May 16, 2026

HICP and the Recognized Security Practices Safe Harbor: The OCR Enforcement Mitigation Most Programs Miss

A 2021 HITECH amendment lets OCR consider 12 months of recognized security practices when assessing fines. HHS named HICP as one. Most healthcare programs do not use it.

HIPAA
Healthcare
Compliance
Risk Management
Ransomware

Practical May 15, 2026

OCR's Risk Analysis Initiative and the $250,000 Cascade Eye Settlement: What It Tells You About Current Enforcement

On September 26, 2024, OCR settled a ransomware case for $250,000 with a two-year corrective action plan. The findings tell you exactly what to fix in your program.

HIPAA
Healthcare
Ransomware
Risk Management
Compliance

Research May 14, 2026

Single-Artifact, Multi-Authority Evidence Engineering for Healthcare Compliance

Healthcare compliance has become a layered audit problem. The only way a small team survives it is to design four anchor artifacts that each satisfy multiple authorities.

Healthcare
Compliance
HIPAA
Risk Management
Strategy

Research May 13, 2026

The Cross-Jurisdiction AI Compliance Stack for Healthcare Vendors

Six AI compliance instruments now apply to healthcare vendors. They overlap but do not harmonize. Here is how to build one AI dossier that satisfies all six.

Healthcare
AI
Compliance
HIPAA
Risk Management

Practical May 12, 2026

Post-Quantum Cryptography for Healthcare: Why Harvest-Now-Decrypt-Later Means You Start the Inventory Now

Quantum computing is a decade away. Long-lived health records are not. Here is why FIPS 203, 204, and 205 already shape healthcare procurement, and what to inventory first.

Healthcare
Cryptography
NIST
Risk Management
Compliance

Practical May 11, 2026

The HIPAA Security Rule NPRM: A Control Roadmap Before the Final Rule Lands

HHS proposed the most consequential HIPAA Security Rule rewrite in 20 years. Here is what to map to your controls now, before the final rule sets the clock.

HIPAA
Healthcare
NIST
Risk Management
Compliance

Practical May 4, 2026

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

The Change Healthcare incident made business-associate cybersecurity a board-level healthcare risk. Contract language is not enough.

HIPAA
Healthcare
Supply Chain
Incident Response
Risk Management

Practical May 4, 2026

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

A practical sequencing guide for healthcare ransomware resilience using NIST SP 800-53 control families.

Healthcare
Ransomware
NIST
Incident Response
Risk Management

Practical May 4, 2026

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

The Change Healthcare breach shows why healthcare organizations need NIST control depth beyond the HIPAA Security Rule floor.

HIPAA
NIST
Healthcare
Risk Management
Ransomware

Practical May 4, 2026

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

A practical comparison of the major security frameworks for healthcare organizations with HIPAA, SEC, privacy, and ransomware risk.

HIPAA
NIST
HITRUST
ISO 27001
Healthcare

Research May 4, 2026

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

A full research paper applying NIST SP 800-66r2 and SP 800-53r5 to healthcare compliance after Change Healthcare.

HIPAA
NIST
Healthcare
Risk Management
Supply Chain

Practical Apr 26, 2026

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

If your program runs on CIS Controls v8 IG1, here is what that gets you against the 110 NIST SP 800-171 practices a C3PAO assesses — and where the gaps are.

CMMC
NIST
CIS Controls
Compliance
DIB

Research Apr 26, 2026 Featured

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

A composite case study of a 350-person defense subcontractor with 47 suppliers and 15 months to reach CMMC Level 2 — and the scope-discipline strategy that makes it possible.

CMMC
NIST
Risk Management
DIB
Supply Chain

Research Apr 19, 2026

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

How ADSAI tools are changing the attack surface for defense contractors: five threat vectors, the dual-use paradox, and a layered defense framework built on mission continuity.

Threat Intelligence
AI Security
Risk Management
Critical Infrastructure

Practical Apr 19, 2026 Featured

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

A plain-language breakdown of CMMC 2.0's three levels, two assessment paths, POA&M rules, phase-in schedule, and the real cost numbers from DoD's regulatory impact analysis.

CMMC
Assessment
Compliance
DIB

Practical Apr 19, 2026

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

How Plans of Action and Milestones work under the CMMC 2.0 final rule — the 80% implementation floor, which controls block conditional certification, and what happens at day 180.

CMMC
Compliance
DIB

Practical Apr 19, 2026

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

CUI vs FCI explained — how each category determines your CMMC level, which DFARS clauses apply, and what scoping errors create the most compliance exposure.

CMMC
DFARS
Compliance
DIB

Practical Apr 19, 2026

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

What a DFARS 7012 cyber incident report must contain, when the 72-hour clock starts, what to preserve, and common reporting errors that create compliance exposure.

DFARS
Compliance
DIB

Practical Apr 19, 2026

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

What DFARS 7012, 7019, 7020, and 7021 actually require — incident reporting, SPRS scoring, DoD assessment authority, and CMMC award conditions for defense contractors.

CMMC
DFARS
Compliance
DIB

Research Apr 19, 2026 Featured

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

A practitioner analysis of how FISMA, DFARS, CMMC, CIRCIA, and sector-specific statutes interact — and where the current framework still breaks down.

CMMC
DFARS
FISMA
Policy
Supply Chain

Practical Apr 19, 2026

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

CMMC 2.0 still references NIST SP 800-171 Rev 2, but NIST published Rev 3 in May 2024. Here is what the version gap means for your SSP, C3PAO assessment, and compliance roadmap.

CMMC
NIST
Compliance
DIB

Practical Apr 19, 2026

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment

How the DoD SPRS scoring methodology works, what the -203 to 110 scale means, and what common scoring mistakes cost contractors at award time.

CMMC
DFARS
Compliance
DIB

Blog

No posts match these filters

Highlighted Reading

Current and Expected Adjustments to Cybersecurity Compliance for a Healthcare-Sector Cybersecurity Startup

More Posts

The FFIEC CAT Sunset: What Healthcare Can Learn from a Parallel-Sector Compliance Change

EO 14110 to EO 14179: Why Federal AI Policy Is an Unstable Compliance Anchor

Cross-Border Health Data Flows: When HIPAA Is Not Enough Because the Data Crossed a Border

Washington's My Health My Data Act and the Gap HIPAA Does Not Cover

The 2024 HIPAA Reproductive Health Privacy Rule Was Mostly Vacated. What That Means for Your Program.

Reading the Compliance Status Legend: Why 'Emerging' Is a Useless Tag

IoMT Segmentation: Why FDA's 2026 Cybersecurity Guidance and NIST SP 800-82 Now Converge

FDA Predetermined Change Control Plans for AI-Enabled Medical Devices: What a PCCP Actually Is

CIRCIA 72-Hour Reporting for Healthcare: How It Layers on HIPAA, FTC HBNR, and State Breach Law

NIST CSF 2.0's Govern Function and What Healthcare Boards Now Have to Own

HICP and the Recognized Security Practices Safe Harbor: The OCR Enforcement Mitigation Most Programs Miss

OCR's Risk Analysis Initiative and the $250,000 Cascade Eye Settlement: What It Tells You About Current Enforcement

Single-Artifact, Multi-Authority Evidence Engineering for Healthcare Compliance

The Cross-Jurisdiction AI Compliance Stack for Healthcare Vendors

Post-Quantum Cryptography for Healthcare: Why Harvest-Now-Decrypt-Later Means You Start the Inventory Now

The HIPAA Security Rule NPRM: A Control Roadmap Before the Final Rule Lands

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment

Blog

Blog filters

No posts match these filters

Highlighted Reading

Current and Expected Adjustments to Cybersecurity Compliance for a Healthcare-Sector Cybersecurity Startup

More Posts

The FFIEC CAT Sunset: What Healthcare Can Learn from a Parallel-Sector Compliance Change

EO 14110 to EO 14179: Why Federal AI Policy Is an Unstable Compliance Anchor

Cross-Border Health Data Flows: When HIPAA Is Not Enough Because the Data Crossed a Border

Washington's My Health My Data Act and the Gap HIPAA Does Not Cover

The 2024 HIPAA Reproductive Health Privacy Rule Was Mostly Vacated. What That Means for Your Program.

Reading the Compliance Status Legend: Why 'Emerging' Is a Useless Tag

IoMT Segmentation: Why FDA's 2026 Cybersecurity Guidance and NIST SP 800-82 Now Converge

FDA Predetermined Change Control Plans for AI-Enabled Medical Devices: What a PCCP Actually Is

CIRCIA 72-Hour Reporting for Healthcare: How It Layers on HIPAA, FTC HBNR, and State Breach Law

NIST CSF 2.0's Govern Function and What Healthcare Boards Now Have to Own

HICP and the Recognized Security Practices Safe Harbor: The OCR Enforcement Mitigation Most Programs Miss

OCR's Risk Analysis Initiative and the $250,000 Cascade Eye Settlement: What It Tells You About Current Enforcement

Single-Artifact, Multi-Authority Evidence Engineering for Healthcare Compliance

The Cross-Jurisdiction AI Compliance Stack for Healthcare Vendors

Post-Quantum Cryptography for Healthcare: Why Harvest-Now-Decrypt-Later Means You Start the Inventory Now

The HIPAA Security Rule NPRM: A Control Roadmap Before the Final Rule Lands

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment