VRC: Proactive and Proven

Why Compliance Alone Isn’t Enough Anymore

Author

Junie Talisay
April 08, 2026

New Podcast Episode:

Passing an audit is important, but it doesn’t tell you what an attacker can actually reach. In this episode, Rob and Dawn share a major VanRein Compliance announcement: the launch of penetration testing and vulnerability scanning, built to help clients move beyond paper compliance and validate what’s really happening inside their environments.

From HIPAA and SOC 2 to ISO, HITRUST, NIST, and increasingly detailed client security questionnaires, this conversation explains why proactive testing is no longer a nice-to-have. It’s how organizations find the gaps, prove what’s working, and build trust before an incident, audit, or customer request forces the issue.

In This Episode:

  • Compliance vs. Real Security — why passing an audit doesn’t automatically mean your environment is secure

  • Why We Built This — the recurring client need that made penetration testing and vulnerability scanning the next step for VRC

  • Vulnerability Scanning Explained — how recurring scans surface known weaknesses across endpoints, APIs, and external-facing assets

  • Pen Testing in the Real World — combining automated and manual ethical hacking to validate whether attackers can actually get in

  • Monthly Scans + Annual Testing — creating an ongoing rhythm of visibility, remediation tracking, and retesting

  • Framework Alignment That Matters — how testing strengthens HIPAA, SOC 2, ISO, HITRUST, NIST, and security questionnaire readiness

  • Under One Roof — reducing coordination headaches by integrating testing directly into your existing compliance program

  • From Reactive to Proactive — using real validation to improve security posture, audit outcomes, and client confidence

If your organization has the policies, the documentation, and even the audit results, but still lacks proof that your environment can stand up to real-world threats, this episode offers a practical roadmap for closing that gap. Listen now (and attentive listeners may want to stick around until the end for a free surprise 😉).

In partnership with

2026 hit the ground running and aimed straight for the fast lane! We have been discussing the upcoming changes to HIPAA and the evolution of cybersecurity protections as they move from recommendations to requirements.  We spent the first three months of the year outlining those changes and the impact they have on your business and the blood, sweat, and tears you have invested into your company.

Over the last year, VanRein Compliance has moved our partners into this new mindset because the time for talk is running out.

The Evolution of HIPAA

HIPAA is growing up.  As with everything that grows, there are often growing pains, but that does not need to happen to you.  HIPAA is going to force new levels of Cyber Maturity that many have likely not anticipated or prepared for yet.  Team VRC takes on much of that responsibility for our partners.

As HIPAA and cybersecurity efforts expand and integrate, VRC has been working proactively to ensure your plans and policies result in positive, next level performance.

The Importance of Being Proactive

Proactive is a word we use often and it is intentional.  Serious efforts are needed to take protected health information and other sensitive personal data, and minimize its exposure to bad actors.  Reacting to breaches is no longer acceptable.  It will cost you time and a lot of money going forward.  Depending on the severity, a breach can also permanently damage your company’s reputation.  Paper compliance must move to proven security.

An intense VRC effort has been to ensure the concierge level service we provide our partners is never compromised.  This has resulted in an entirely new level of service and care we have put into our comprehensive Proactive Services.

VRC Proactive Services

What are these services?

  • AI Governance

  • Tabletop Exercises (TTX)

  • Penetration Testing

  • Vulnerability Scanning

  • NIST CSF 2.0 Alignment

What do these services do?

  • Assess your current state

  • Test your defenses

  • Identify critical gaps

  • Improve your security posture

Moving Beyond "Optional"

These services may sound like nice options.  However, the reality is… they are not going to be optional anymore.  Regulators, companies and vendors are going to require this information.  If you cannot provide proof, you put the future of your business at serious risk.  Save time, save money and reduce stress.

You have worked too hard to be successful. Your clients, your employees, and your family depend on you. We can help you:

  • Reduce breach impacts and downtime

  • Improve your regulatory readiness

  • Strengthen executive confidence

  • Enhance cyber resilience

  • Achieve higher levels of security maturity

  • Provide a clear roadmap for future success

Partnerships build confidence. Confidence builds vision. Vision builds growth. Growth builds trust and strength. Trust and strength builds legacies.

The appetite of bad actors for personal and protected health information (PHI) remains insatiable. This trend is the driving force behind significant upcoming changes to HIPAA and its increased alignment with cybersecurity protocols. Getting your ducks in a row now is more critical than ever. Failing to take a proactive stance can lead to devastating financial consequences.

Below are examples of recent settled incidents and the costs of non-compliance.

Settled Incidents and Penalties

Entity

Penalty/Settlement

Key Violations & Incident Type

Yale New Haven Health

$18 Million

Network breach; exposure of demographics and Social Security numbers.

McLaren

$14 Million

Single-case penalty following data breach.

Solara Medical Supplies

$3 Million

Phishing attack impacting 114,000+ people; 2-year monitoring required.

Warby Parker

$1.5 Million

Hacking attack; lack of risk analysis, risk management, and ePHI monitoring.

BayCare Health System

$800,000

Failures in access management, risk management, and activity reviews.

PIH Health

$600,000

Risk analysis failure and impermissible disclosure impacting 189,763 people.

Compassion Health Care

$600,000

Class-action lawsuit settlement impacting 23,600 people.

Syracuse ASC

$250,000

Risk analysis and notification failures; multi-year audits required.

Deer Oaks

$225,000

Failures regarding risk analysis and disclosure.

Concentra

$112,500

Right of access violations; multi-year security overhauls required.

Top of The World Ranch

$103,000

Phishing breach and risk analysis failure.

Incidents Under Investigation
Outcomes and final OCR penalties are still pending.

Entity

Incident

Impact

Conduent Business Services (Third-Party Vendor)

Ransomware attack

25 million people; names, DOBs, SSNs, and claim info exposed.

Aflac

Cyberattack

13.9 million people; SSNs, IDs, and medical information exposed.

Episource LLC

Ransomware attack in AWS environment

5.42 million people; PHI, contact details, and insurance info exposed.

Pro-Active Protection Needed
Breaches are not slowing down, and the methods employed by bad actors are becoming increasingly sophisticated. Proactive plans, policies, and procedures are crucial, but if they don’t perform, they are useless.

VanRein Compliance has always operated with a proactive mindset. Our new and expanded Proactive Services are designed to keep your organization off the "Wall of Shame." We help you keep your capital in the bank to grow your business, rather than spending it to defend it.

Sponsor Spotlight

AI agents now read your docs almost as much as humans do.

Mintlify analyzed 790 million requests across its documentation platform. The finding: AI coding agents account for 45.3% of all traffic, nearly tied with traditional browsers at 45.8%.

Two tools are driving almost all of it:

  • Claude Code: 25.2% of total traffic, more requests than Chrome on Windows

  • Cursor: 18% of total traffic

  • Together they account for 95.6% of all identified AI agent traffic

The rest of the field, OpenCode, Trae, ChatGPT, and NotebookLM, is showing up but nowhere close.

One caveat: OpenAI's Codex doesn't send an identifiable user-agent header, so the real agent percentage is likely even higher.

The takeaway for anyone maintaining developer docs: your documentation now serves two audiences. Structure and machine-readability matter as much as clarity for human readers.

88% resolved. 22% loyal. Your stack has a problem.

Those numbers aren't a CX issue — they're a design issue. Gladly's 2026 Customer Expectations Report breaks down exactly where AI-powered service loses customers, and what the architecture of loyalty-driven CX actually looks like.

A VanRein Compliance Reminder

Reply

or to participate.