The VRC Newsletter (September 17)

Reality Check: Compliance ≠ Security

Author

Junie Talisay
September 17, 2025

In partnership with

Compliance Isn’t Always Security

You’ve checked all the boxes. Your organization passed the HIPAA audit. Your SOC 2 report came back clean. Your ISO certification is proudly displayed. So… you’re secure, right?

Not necessarily.

We are in a high threat environment, with a significant increase in cyberattacks happening now, compliance is just the starting line—not the finish line. A recent cyberattack on the State of Nevada brought government operations to its knees. In fact, some of the most high-profile breaches happened to fully “compliant” organizations. Why? Because compliance measures often capture a moment in time, while threats are ongoing and adaptive. Ransomware attacks, phishing campaigns, AI-driven social engineering—none of these threats wait for your next annual audit.

Here’s the truth: Security is a living process.

Being compliant means you’ve implemented controls. But staying secure means you’re testing them. Challenging them. Updating them. It’s why regulators like OCR, ISO, and NIST all emphasize continuous monitoring, incident response, and risk reassessment—not just policies on paper.

Checking Boxes Is Not Enough

Compliance is foundational, but it doesn’t absorb today’s threat velocity. Two facts worth sitting with:

  • Most breaches still involve people. Verizon’s 2024 DBIR found the human element in 68% of breaches (phishing, misuse, errors). Policies alone won’t stop social engineering or rushed clicks. *

  • Breaches are costly and rising. IBM’s 2024 report pegs the average breach at $4.88M, factoring disruption, response, and lost customers. Even well-audited orgs are not insulated from that bill. *

“But we’re compliant.” So was Target.

Target had been certified PCI-DSS compliant in September 2013. Two months later, attackers stole 40M+ payment cards after entering via a vendor account and planting POS malware. The Senate’s post-mortem noted missed alerts and network isolation issues, classic examples of where ongoing security diligence, not checkbox compliance, makes the difference.

Security Beyond Compliance

Treat your certification as the floor, not the ceiling. Build the day-to-day habits that keep you resilient between audits:

  • Continuous risk analysis, not annual only. Update risks when systems, vendors, or data flows change; that’s exactly what regulators expect (HIPAA calls risk analysis an ongoing process).

  • Exercise your response muscle. Run tabletop exercises for ransomware, vendor compromise, and AI-enabled phishing. Validate comms trees, backups, and decision authority.

  • Harden the human layer. Move beyond one-time training: run phishing simulations, coach prompt hygiene for LLMs, and reinforce “report, don’t hide” culture.

  • Monitor continuously. Turn on prompt/output logging for AI tools, endpoint telemetry, identity alerts, and external attack surface scans; review weekly.

  • Close the vendor gap. Require evidence (model cards, retention/region details, “no training on your data”), contractual SLAs, and quarterly attestations, especially for AI-powered features.

  • Adopt a living framework. Map controls to NIST CSF 2.0 and keep them current through operational reviews—not just audit prep.

VRC: Your Compliance + Security Partner

If you want security to stick, make it operational:

  • Disaster Recovery Tabletop: test your IR/DR plan against realistic scenarios.

  • Phishing & Social Engineering Simulations: measure, coach, and improve the human layer.

  • AI Risk & Governance Reviews: log prompts/outputs, set retention, vet vendors, and align to ISO 42001.

  • Vendor Oversight Program: questionnaires tuned for AI, evidence requests, and contract addenda.

  • VRC1 Workspace: centralize training, evidence, and reviews so improvements are visible—not theoretical.

📬 Already a VRC client? We can bundle our services saving you money and time!

Bottom line

Audits prove you have controls. Proactive practice proves they work. The organizations that win are the ones that treat compliance as a foundation and invest in continuous testing, monitoring, and improvement. That’s how you reduce real risk, speed security reviews, and protect your brand between audit anniversaries.

📞 Ready to move beyond the checklist?
Schedule a Proactive Defense Session to pressure-test your program (tabletops, phishing, AI governance, vendor oversight) and turn compliance into durable security.

2025 Wall of Shame at a Glance

To ground this week’s reality-checks in facts, we pulled the 2025 year-to-date data from HHS OCR’s breach portal. The numbers show where incidents actually happen, who’s getting hit, and how fast totals are climbing. Use this snapshot to target your Q4 efforts: tighten email defenses, harden server monitoring, pressure-test incident response, and double-check vendor oversight before year-end.

Overview

  • Total breaches: 426

  • Total individuals affected: 33,007,935

Entity Type

  • Healthcare Providers: 316 (74.2%)

  • Business Associates: 82 (19.2%)

Top Breach Types

  1. Hacking/IT Incident: 343 (80.5%)

  2. Unauthorized Access/Disclosure: 77 (18.1%)

  3. Theft: 5 (1.2%)

  4. Improper Disposal: 1 (0.2%)

Top Locations of Breached Information

  1. Network Server: 250 (58.7%)

  2. Email: 115 (27.0%)

  3. Paper/Films: 20 (4.7%)

  4. Electronic Medical Record: 13 (3.1%)

  5. Other: 10 (2.3%)

Data Reflection

  • Hacking/IT Incidents dominate and overwhelmingly hit network servers and email—that’s where your controls, monitoring, and drills should be strongest.

  • Healthcare providers account for the majority of reported incidents; business associate exposures are still significant and often affect multiple downstream clients.

  • The year isn’t over yet, so totals will definitely climb. Don’t wait for surprises. Take control, finish strong, and show your clients, partners, and auditors that you’re not just compliant—you’re ready.

Looking for unbiased, fact-based news? Join 1440 today.

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

ASTAA Conference
🎉 We’re LIVE in ASTAA!
📍Hilton Baltimore, MD
📅 Tuesday-Thursday, September 16–18

ChiroFEST
📍 Hilton Vancouver, WA
📅 Friday-Saturday, September 19–20

👋 Come Visit the VRC Booth!

 Exclusive Promos – Get access to special offers available to all attendees!
🎁 Swag & Giveaways – We’re making compliance fun again with cool merch you’ll actually want.
🛡️ Live Consultations – Let’s talk HIPAA, SOC 2, ISO, AI audits, vendor risk, and how to strengthen your compliance posture.

1️⃣ Discover VRC1 – Ask us about the platform that’s changing the game in compliance management with smarter workflows, better visibility, and audit-ready tools.

Your Audit Isn’t the End—It’s Just the Beginning

It’s easy to breathe a sigh of relief after passing an audit or receiving your compliance certification. But the real question is: Now what? Many organizations assume they’re “done” once they check the boxes. The truth? Compliance isn’t a project you complete. It’s a program you maintain.

Organizations that treat compliance as a once-a-year effort are the most vulnerable between audits.

Proof in the Headlines

We’ve seen time and again that even fully compliant companies still get breached. They weren’t negligent—they simply stopped evolving once the audit was over.

  • Anthem was HIPAA compliant before its massive breach in 2015 exposed 78.8 million records. The root cause? A spear-phishing email, not a missing policy.

  • Equifax was PCI-DSS certified when it suffered a breach that impacted 147 million people. An expired digital certificate was the missed detail.

  • A 2023 healthcare breach involved a business associate who had passed a third-party security review but failed to patch a known vulnerability.

These examples show what we’ve been saying for years: Compliance ≠ immunity. Threats move fast. Your security and compliance posture should too.

Ongoing Compliance

Real security happens between the audits. Here's what high-performing organizations do year-round:

  • Update risks quarterly based on changes in infrastructure, vendors, or services.

  • Train teams regularly with refreshers and simulated attacks (phishing, ransomware).

  • Track compliance evidence and changes in a central workspace (like VRC1).

  • Validate incident response through real-world tabletop exercises.

  • Review vendors with updated security questionnaires and AI risk assessments.

  • Audit controls internally to ensure policies aren’t just on paper—they’re working.

It’s not about doing more, it’s about doing what matters consistently.

Let VRC Do the Heavy Lifting

VanRein Compliance clients don’t just get audit prep. You get a proactive partner that stays with you after the audit:

  • ✅ Monthly or quarterly cadence calls

  • ✅ Live evidence and workflow tracking in your VRC1 Workspace

  • ✅ Ongoing access to our training library (HIPAA, SOC 2, Cybersecurity, and more)

  • ✅ Add-on services like DR tabletop exercises, phishing simulations, and AI audits

  • ✅ Support when vendors, systems, or risks change

Whether you're preparing for your first audit or navigating year two, we’re here to keep your compliance program active, adaptive, and airtight.

📬 Already a VRC client? We can bundle our services saving you money and time!

✅ Need help keeping your compliance program alive between audits?
Let’s talk. Your dedicated VRC team is just a call away.

Reply

or to participate.