Sarcouncil Journal of Engineering and Computer Sciences

Abstract: Healthcare organizations continue to experience escalating ransomware attacks, third-party breaches, and operational disruptions despite widespread compliance with the Health Insurance Portability and Accountability Act (HIPAA). This pattern suggests that regulatory adherence alone does not ensure effective cybersecurity risk reduction. This study argues that the persistent gap between formal HIPAA compliance and real-world security outcomes is fundamentally a governance failure rather than a regulatory deficiency. Drawing on breach trend data from the HHS Office for Civil Rights, the Verizon Data Breach Investigations Report, and ransomware impact studies published in JAMA Health Forum, this paper demonstrates that weak executive oversight, diffuse risk ownership, inadequate third-party governance, and slow escalation processes contribute materially to breach severity and operational disruption. In response, the paper proposes a compliance-driven cybersecurity governance model that operationalizes HIPAA safeguards through structured accountability, defined decision authority, continuous oversight, and measurable governance performance indicators. The model integrates board-level risk oversight, executive risk ownership, compliance–security alignment, and operational enforcement into a unified governance system designed for vendor-dependent, clinically sensitive healthcare environments. An evaluation framework is introduced to assess governance effectiveness using behavioral metrics such as risk ownership completeness, escalation timeliness, vendor monitoring coverage, and incident containment performance rather than audit artifact completion. By reframing HIPAA compliance as an enforceable governance system rather than a documentation exercise, this study contributes a structured model for strengthening healthcare cybersecurity resilience and establishes a foundation for future empirical validation of governance-driven risk reduction.