🛡️ Public data only — no PHI permitted on this instance.

Cybersecurity / HIPAA Risk Scorecard

12-domain control maturity · incident history · ransomware preparedness · threat vectors · compliance frameworks · 3P vendor risk — 1,705 corpus deals

Cyber Score

72/100

Risk Tier

ADEQUATE

Records in Scope

2,850,000

Insurance

$50M

Annual Spend

$8.5M

Control Domains

Vendors at Risk

Corpus Deals

1,705

Cyber Posture
Score 72/100 · Tier ADEQUATE · 2,850,000 PHI records in scope
$50M insurance tower · $8.5M annual spend · 3 HHS-reportable incidents LTM

Control Domain Maturity vs Industry Benchmark

Domain	Maturity	Benchmark	Gap	NIST Tier	Last Audit	Findings
Identity & Access Management	72	75	-3	Tier 3 (Repeatable)	2024-11-15	4
Endpoint Security (EDR/XDR)	85	82	+3	Tier 4 (Adaptive)	2024-12-08	2
Network Segmentation	68	72	-4	Tier 3 (Repeatable)	2024-10-22	6
Vulnerability Management	78	78	+0	Tier 3 (Repeatable)	2025-01-15	3
Data Protection / Encryption	82	80	+2	Tier 3 (Repeatable)	2024-11-30	2
Security Operations / SIEM	65	72	-7	Tier 2 (Risk-Informed)	2024-09-18	8
Incident Response	70	70	+0	Tier 3 (Repeatable)	2024-10-01	5
Business Continuity / DR	62	68	-6	Tier 2 (Risk-Informed)	2024-08-15	7
Third-Party Risk Management	58	65	-7	Tier 2 (Risk-Informed)	2024-07-20	12
Security Awareness Training	78	75	+3	Tier 3 (Repeatable)	2024-12-01	3
Governance / Risk / Compliance	75	72	+3	Tier 3 (Repeatable)	2024-11-08	4
Cloud Security Posture	72	70	+2	Tier 3 (Repeatable)	2024-10-30	5

Incident History (LTM)

Date	Incident Type	Scope	Records	HHS Reportable	Cost ($M)	Status
2024-02-21	Phishing (credential harvesting)	Single department	485	NO	$0.120	closed — no notification
2024-06-10	Lost unencrypted device	1 employee laptop	2,850	YES	$0.385	notifications complete
2024-09-22	Vendor breach (exposed portal)	EHR vendor Y outage	12,500	YES	$1.250	notifications complete + OCR response
2024-11-08	Ransomware attempt (blocked by EDR)	Zero successful encryption	0	NO	$0.085	closed — no impact
2025-01-22	Insider improper access	Single physician	285	YES	$0.045	HHS notification; employee terminated
2025-03-08	Business email compromise	Finance phishing attempt	0	NO	$0.220	closed — no funds lost

Ransomware Preparedness

Capability	Maturity	RTO (hr)	RPO (hr)	Last Tabletop	Gap
Immutable Backups (WORM)	strong	8	4	2025-01-15	well-implemented
Offline Backup Validation	strong	8	4	2025-01-15	quarterly tests passing
Network Segmentation (EHR/Corp)	moderate	12	6	2024-10-22	IoT/medical device VLAN incomplete
EDR on All Endpoints	strong	1	0	continuous	100% coverage
Email Security (Phishing Defense)	strong	0	0	continuous	Proofpoint + Abnormal
MFA on All Privileged Access	moderate	0	0	2024-12-08	85% coverage, service accts remaining
Ransomware Tabletop Exercise	moderate	0	0	2024-10-01	annually — increase to semi-annual
Cyber Insurance (Ransomware Cov)	strong	0	0	2025-01-01	$50M aggregate — renewal Q1 2026
Legal / FBI Notification Playbook	strong	2	0	2024-11-15	retainer active
Crypto Payment Preparedness	strong	0	0	n/a (no-pay policy)	cold-wallet partner

Threat Vector Exposure

Threat Vector	Probability	Financial Impact ($M)	Industry Incidence	Mitigation
Ransomware (Sector-Wide)	high	$18.50	32.0%	active defense
Third-Party Vendor Breach	high	$12.50	42.0%	enhanced TPRM 2025
Phishing / Credential Theft	very high	$2.80	68.0%	continuous training + email sec
Insider Threat (Malicious)	medium	$4.50	8.0%	UEBA monitoring
Supply Chain Attack	medium	$8.50	12.0%	SBOM review + vendor SOC 2
Medical Device Exploitation	medium	$5.20	15.0%	network segmentation
Nation-State APT	low	$35.00	2.0%	MDR / 24x7 SOC
DDoS (Operational)	medium	$1.20	18.0%	Cloudflare mitigation

Compliance Framework Coverage

Framework	Scope	Status	Coverage	Last Assessment	Remediation ($M)
HIPAA Security Rule	All PHI	compliant	92%	2024-11-15	$0.18
HIPAA Privacy Rule	All PHI	compliant	95%	2024-11-15	$0.08
HIPAA Breach Notification	All systems	compliant	100%	2024-11-15	$0.00
HITRUST CSF Certification	Core platform	r2 certified 2024	88%	2024-08-30	$0.45
SOC 2 Type II	Customer-facing platforms	passed 2024	100%	2024-10-20	$0.32
PCI-DSS (Payment)	Payment channels	compliant	98%	2024-09-15	$0.08
ISO 27001	Core platform	certified 2023	92%	2023-12-15	$0.28
NIST 800-66r2 (HIPAA)	All systems	aligned	85%	2024-11-15	$0.22
HHS 405(d) HICP	Clinical systems	aligned	78%	2024-08-30	$0.35
CMMC 2.0 (federal)	N/A (no federal contracts)	not applicable	0%	N/A	$0.00

Third-Party / Vendor Exposure

Third Party	Access Scope	BAA	SOC 2 Status	Last Review	Risk Score
Epic EHR (hosted)	All PHI	BAA current	SOC 2 Type II current	2024-10-15	22
Waystar (RCM)	Claims data	BAA current	SOC 2 Type II current	2024-09-22	28
Microsoft Azure	Infrastructure	BAA current	SOC 2 Type II current	2024-11-08	18
Salesforce Health Cloud	Patient CRM	BAA current	SOC 2 Type II current	2024-08-20	32
Zoom Healthcare	Telehealth video	BAA current	SOC 2 Type II current	2024-10-02	25
Vendor X (RCM BPO offshore)	Claims processing	BAA current	SOC 2 Type I only	2024-06-18	62
Regional Lab Network	Test results	BAA current	SOC 2 Type II current	2024-07-30	42
Nuance / DAX Copilot	Clinical documentation	BAA current	SOC 2 Type II current	2024-11-15	28
Twilio / SMS	Patient comms	BAA current	SOC 2 Type II current	2024-10-22	35
Abnormal Security (email)	Email metadata	BAA not required	SOC 2 Type II current	2024-09-10	22

Cyber Risk Thesis: Overall score 72/100 (tier: adequate). Strong controls on endpoint, data protection, and training; underinvested in SOC/SIEM, BCP/DR, and third-party risk management. Ransomware readiness is strong — immutable backups, EDR everywhere, $50M cyber tower. Post-Change Healthcare (Feb 2024), the sector-wide ransomware impact benchmark is $22B — platform exposure proportional to PHI footprint and vendor density. Most material third-party risk: offshore RCM BPO (SOC 2 Type I only — upgrade required) and Salesforce Health Cloud (high-access PHI scope). Compliance posture solid — HIPAA, HITRUST r2, SOC 2 Type II, PCI-DSS, ISO 27001 all current. Remediation budget required $1.96M to close gaps over next 6-9 months.