Healthcare Pricing Market

The $375K Security Tax on Small Hospitals

March 2025 · 6 min read

HHS Office for Civil Rights processed 725 healthcare data breach investigations in 2023. The average breach hit 180,000 patient records and cost $10.9 million to clean up.

The organizations getting breached most often aren't Ascension or HCA Healthcare. They're 200-bed community hospitals, rural critical access facilities, outpatient clinic networks. Three IT staff. A $400K annual IT budget. A "compliance team" that's really the CFO reading HHS guidance on weekends.

These organizations have to meet the same HIPAA Security Rule requirements as Mayo Clinic. They get sold the same enterprise security products. And they get charged the same enterprise prices.

What "enterprise EDR" actually costs a 1,000-endpoint hospital

Here is the math the sales decks never show.

SentinelOne Singularity Complete — the tier that includes actual EDR, behavioral AI, and incident response — lists at roughly $180 per endpoint per year. For a 1,000-endpoint hospital that's $180,000/year. That's before the reseller margin (typically 20-30%), before the professional services engagement to deploy and configure it ($30-50K is normal), and before the dedicated analyst you need to actually respond to the alerts it generates.

First-year cost: easily $270,000-$375,000.

CrowdStrike is similar. Falcon Pro starts around $100/endpoint/year. Falcon Complete, the managed service that actually includes analysts who respond to threats, runs $300+ per endpoint per year. A 1,000-endpoint hospital on Falcon Complete: $300,000/year minimum.

Microsoft Defender for Endpoint P2, the tier with real EDR capability, requires Microsoft 365 E5 licensing at $57/user/month. For 1,000 users: $684,000/year. E5 includes a lot more than just EDR. It also includes a lot of things a 200-bed hospital will never need and will never configure.

These numbers aren't controversial. They're what enterprise vendors publicly charge. What should be controversial is the expectation that organizations with a $400K total IT budget should spend 75-90% of it on a single security product.

The compliance consulting layer on top

Here's what pricing comparisons leave out: the HIPAA compliance burden that every EDR vendor hands back to you.

SentinelOne, CrowdStrike, Microsoft Defender — none of them ship a HIPAA compliance dashboard. None of them track your Security Rule controls. None of them generate a PHI access report you can hand to an OCR investigator.

They give you telemetry. How you map it to HIPAA 164.312(b) audit controls, how you generate the tamper-evident audit trail, how you produce a breach notification report — that's your problem.

Which means it's your compliance consultant's problem. At $200-300/hour. For 100-200 hours per year to maintain your compliance posture and respond to audit inquiries.

Add $20-60K per year to the numbers above.

The staffing assumption that doesn't hold

Enterprise EDR platforms are designed for organizations with a Security Operations Center. They generate alerts. A lot of alerts. The assumption baked into the product is that a team of analysts will triage those alerts, investigate the true positives, and execute response actions.

A 200-bed community hospital doesn't have a SOC. It has two IT generalists and a part-time contractor who handles patching. When CrowdStrike or SentinelOne generates 500 alerts in a week, nobody investigates any of them. The product becomes expensive shelfware that checks a box on the annual HIPAA audit and does nothing else.

Huntress understood this and built around it. Their managed SOC model means human analysts handle triage on your behalf. That's a real improvement over raw enterprise EDR for smaller organizations. But at $9/endpoint/month, a 1,000-endpoint hospital still pays $108,000/year. And a third-party SOC with access to your clinical workstations is a HIPAA conversation your legal team will want to have before you sign.

Why the market ignores this segment

The 500-2,000 endpoint healthcare segment keeps getting described as "underserved" in market research. The research is right. What it misses is why.

A hospital IT director who runs the EHR, the clinical imaging network, the patient portal, staff workstations, and the medical device fleet with two people is not an unsophisticated buyer. They're a constrained one. The constraint is budget, not knowledge.

Community hospitals also get breached at higher rates than large health systems — partly because the large systems have bigger security teams and partly because attackers look for targets with high data value and low defensive investment.

The real reason this segment is underserved is simpler: enterprise security vendors built their products and their pricing for a different customer. The channel incentives, the sales motion, the product complexity, the per-endpoint pricing — all of it assumes a large IT organization with a dedicated security budget. The products aren't bad. They're just for someone else.

What it should cost

We built Bastion for this segment. Starter is $5/endpoint/month. Professional, which includes the HIPAA and FERPA compliance dashboards, SIEM integration, and auto-response playbooks, is $7/month.

A 1,000-endpoint hospital on Bastion Professional: $7,000/month, $84,000/year. HIPAA compliance dashboard included. Tamper-evident audit trail included. PHI encryption at rest included. Breach notification workflow included.

That's not a discount off enterprise pricing. It's a price built from the cost structure of a product designed for this segment. A Rust-native agent that runs on aging hardware without dedicated analysts, with compliance built into the product instead of outsourced to a consultant.

The $375K tax isn't inevitable. It's what happens when you buy products built for someone else.

We have a 14-day trial if you want to see it — no credit card, 25 endpoints.

More from the blog
Why We Wrote an EDR in Rust
8 min read
FERPA Compliance Without Enterprise Pricing
7 min read