The Heathcare Insurance Portability and Accessibility Act (HIPAA) of 1996 (which is still not yet in full force), required the appointment of a Security Officer in the preliminary draft of the Information Security regs.

However, now, six years later we are still awaiting the final Info Sec regs. Most cheap hospitals (sorry for being redundant) appear to have made a decision not to hire a Security Officer until the day the regs are due to go into full effect. Not my idea of "planning ahead", but I am not at the level to be making those decisions. I am a "lowly" senior IT Auditor (with 15 years experience), or so they think.

Delaying the hiring of a Security Officer will dramatically increase the long term cost of security. Unfortunately management has no "vision". For that they will pay a high price.

I did IT Audit for a dozen years in Banking. They almost always had a Security Dept. The four healthcare CIOs I now deal with look at me dumbfounded when I tell them that. Only one has dedicated Info Sec people. One has assigned it to the Network Services Director, two seem to hope it will kind of take care of itself. "After all, Roger, you don't know how tight my budget is". I just point it out in my audit reports and walk away.

Bottom line, security is radically different by industry. Healthcare is probably the worst.

Any challengers?

Roger T.