In this episode of the HIPAA Insider Show, we sit down with Larry Trotter II, Founder of Inherent Security, to unpack a hard truth in healthcare sales:

You can sign every BAA, check every box on the HIPAA security questionnaire, and still lose the deal. Why? Because enterprise healthcare buyers don’t just evaluate answers — they evaluate security maturity.

Listen on Spotify
Watch the full episode on YouTube

Why Health Systems “Ghost” Vendors After Security Review

You’ve cleared procurement. The buyer likes your product. ROI makes sense.

Then the security questionnaire lands.

And suddenly… silence.

Larry shares a reality many startups don’t want to hear:

  • “If I see everything marked 100%, that raises a flag — because no one is 100%.”

Healthcare security teams review hundreds of vendors. When every answer is “Yes,” experienced buyers start cross-checking aggressively.

Perfect answers don’t build trust.

Evidence does.

What Enterprise Buyers Actually Look For

During the episode, we break down the maturity signals healthcare organizations expect to see behind your HIPAA security questionnaire.

1. A Real HIPAA Risk Assessment

The HIPAA Security Rule requires an Official HHS  documented risk analysis (45 CFR §164.308(a)(1)).

Yet it remains one of the most common compliance failures.

A mature risk assessment includes:

  • Identified threats and vulnerabilities
  • Risk scoring methodology
  • A living risk register
  • Clear mitigation timelines

Not a template. Not a one-time PDF.

If your infrastructure isn’t architected with healthcare safeguards in mind, gaps surface quickly here.

→  Explore HIPAA-Compliant Cloud Infrastructure 

Purpose-built for healthcare SaaS handling PHI.

2. Continuous Monitoring (Not Just Alerts Turned On)

Another major gap discussed in the episode is monitoring.

Many companies believe enabling cloud alerts equals security monitoring.

It doesn’t.

Larry explains:

  • “You might have controls in place, but if you’re not monitoring continuously, it’s hard to prevent something.”

Enterprise buyers want to see:

  • Centralized log aggregation
  • Threat detection workflows
  • Outbound traffic monitoring
  • Data Loss Prevention (DLP) controls

The NIST Cybersecurity Framework reinforces continuous monitoring as a core security function.

If you can’t demonstrate how threats are detected and escalated, questionnaires become liabilities.

→  See how HIPAA Vault Hosting Solutions reduce monitoring burden → 

Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

AI in Healthcare: Governance Is Not Security

Healthcare organizations want AI-driven efficiency — but they’re cautious.

Larry didn’t mince words:

“The AI graveyard is not going to have enough room this year.”

There’s a growing confusion between AI governance (transparency, explainability, validation) and AI security (protecting models, training data, and infrastructure).

You can document governance perfectly.

But if your AI system is vulnerable to:

  • Model poisoning
  • Data leakage
  • Unauthorized access

Healthcare buyers will walk away.

Security must be embedded at the infrastructure layer — not bolted on after product launch.

The Startup Advantage: Embed Security From Day One

Startups actually have the advantage.

They can embed compliance and security into the foundation before habits form.

That means:

  • Secure development lifecycle (SDLC) from the start
  • Automated vulnerability scanning
  • Defined risk tolerance
  • Security included in engineering workflows
  • CISO or vCISO oversight

When security is foundational, it doesn’t slow innovation.

When it’s reactive, it creates friction.

Stop Answering Questionnaires with Uncertainty

If you’re selling into healthcare and struggling with:

  • Massive 200+ row security spreadsheets
  • Inconsistent policy documentation
  • Gaps between infrastructure and questionnaire answers

It may not be your sales process.

It may be your architecture.

→  Schedule a Free HIPAA Risk Assessment  

Or

→  Reques a Consultation  

Infrastructure built specifically for healthcare.

HIPAA Penetration Testing—Go Beyond Automated Scans

Validate your security with an objective, third-party audit. We simulate real cyberattacks to uncover vulnerabilities and provide a comprehensive compliance report.

Learn More

FAQ