The following is a guest article by Frank Balonis, CISO at Kiteworks

Healthcare organizations face a paradox: despite adopting advanced security technologies, they continue to suffer some of the highest data breach rates in any industry. The Kiteworks 2025 Data Security and Compliance Risk: Annual MFT Survey Report reveals why: it’s not a lack of tools, but gaps in governance that leave systems vulnerable.

Why Encryption Alone Isn’t Enough

Healthcare organizations have made significant strides in encrypting data in transit, with the survey reporting near-universal adoption. Yet 44% experienced managed file transfer (MFT) security incidents in the past year, and 22% suffered a breach—the highest among all sectors surveyed.

The problem lies in the “encryption gap.” While in-transit data is well-protected, only 11% of healthcare organizations encrypt data at rest. Patient records, medical imaging files, billing data, and research repositories remain exposed on storage systems and backups, creating easy targets for cybercriminals.

Fragmented technology landscapes compound the risk. Clinical, administrative, and research systems often operate in silos with inconsistent security policies, making it easier for attackers to exploit vulnerabilities.

The Five Governance Gaps That Drive Breaches

The survey highlights five critical areas where governance failures increase risk:

1. Data Discovery Blindness: Many organizations cannot locate sensitive data across systems, leaving it unprotected; without full visibility, IT teams can’t secure what they cannot see
2. Flow Mapping Failure: Patient files move constantly between providers, payers, labs, and pharmacies; yet 63% of organizations haven’t integrated MFT systems with security monitoring, creating blind spots
3. Access Control Immaturity: While attribute-based access controls are common, many organizations fail to conduct regular reviews or automate deprovisioning, leaving former employees or vendors with lingering access
4. Vendor Oversight Gaps: Third-party vendors are implicated in nearly 60% of healthcare breaches; many organizations rely on point-in-time questionnaires rather than continuous monitoring, leaving risks unchecked
5. Analytics and Visibility Deficit: Many healthcare organizations don’t measure file access patterns or test incident response plans regularly, limiting their ability to detect and respond to threats

The Governance Multiplier Effect

Organizations that prioritize governance see dramatically lower incident rates. Financial services, for example, achieve nearly half the breach rate of healthcare not through larger technology budgets, but by combining discovery, monitoring, access control, and vendor oversight into a cohesive governance framework.

For healthcare, governance is more than compliance—it supports HIPAA administrative safeguards, ensures accurate breach reporting, and builds patient trust by demonstrating accountability. The 39% of organizations that avoid breaches entirely consistently apply governance best practices, from regular access reviews to continuous vendor monitoring.

AI Adds a New Layer of Risk

Artificial intelligence introduces additional governance challenges. The survey found 26% of organizations experienced AI-related incidents, while 30% allow uncontrolled AI use with sensitive files. Clinical decision support, administrative billing, and research AI tools often operate outside traditional security controls, creating new exposure pathways.

Effective AI governance requires integrating AI tools into existing frameworks: track access, include AI transactions in flow mapping, enforce controls, and measure risks regularly.

From Tools to Governance

Healthcare organizations are not failing due to a lack of tools—they spend millions on security software, vendor assessments, and access controls. The problem is disconnection. Without governance, these investments remain siloed and ineffective.

The path forward is clear: close the encryption gap, integrate monitoring, mature access governance, continuously monitor vendors, and measure what matters. These are practical, measurable actions that distinguish organizations that remain breach-free from those repeatedly compromised.

Patient safety depends on data integrity. Every unencrypted file, invisible transfer, or lingering access credential represents a potential breach. By prioritizing governance as rigorously as clinical protocols, healthcare organizations can reduce incidents, improve outcomes, and ensure their systems function as intended.

About Frank Balonis

Frank Balonis is the Chief Information Security Officer and Senior VP of Operations and Support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy. He can be reached at fbalonis@kiteworks.com.