As the saying goes, “To a hammer, all problems look like a nail.” Most healthcare companies start
their Health Insurance Portability and
Accountability Act (HIPAA) security pro-
gram by assigning responsibility and
accountability to a manager of Information
Technology (IT). This creates a bias within
the organization that security compliance is
an IT issue. In reality, much of security does
not directly involve IT. The result
is that non-IT risk gets overlooked,
and the IT team takes on a secu-
rity enforcement duty that is both
uncomfortable and ineffective.
The need for security compli-
ance is not going away. It is rapidly
taking on increased importance in
all organizations. Losses are start-
ing to become significant and threats are
increasing. Security is an ongoing require-
ment for all organizations in the 21st century.
A security program needs to be built for
efficiency and longevity. It needs to manage
risk in a way that also meets the compliance requirements of HIPAA and state laws.
This makes the choice of an organizing
principle for your security program much
Merging the twin requirements of HIPAA
compliance and the need to manage risk in
medium or small healthcare organizations
is challenging at best. The compliance side
demands that a thoroughly documented
program be in place that meets certain minimum requirements. The risk side of security
needs to meet the real threats of ransomware
and data breaches that harm reputation and
bottom line. In many communities, expertise
is neither affordable nor available to plan and
lead in this complex situation. But, these are
compatible requirements, particularly when
managed as a single program.
Left searching for cost-effective options,
organizations reflexively turn to their IT staff,
assigning the Chief Information Officer (CIO)
or an IT manager the new responsibility for
security compliance. This person is proficient
in technology and possibly technical data
security, but they are rarely experienced in
organizational risk management. Beyond
having the added burden of planning, execution, and continuous monitoring of risk and
compliance, they also must lead a program
that encompasses workflows throughout the
by Eric Hummel, MS CS, InfoSec
Building a security program:
It’s not just IT
» Executive leadership must be invested in the security program.
» Create a security program led by a compliance officer who has been trained in cybersecurity.
» Build the governance structure first.
» Propose a realistic budget.
» The security program consists of a set of projects led by domain leaders (HR, Facilities, IT, Administration, Clinical, etc.).
Eric Hummel ( email@example.com) is Chief Technology Officer at
QI Partners, LLC in Rockville, MD.