top of page
James F. Kenefick Website Icon

JAMES F.

   KENEFICK

Healthcare IT Compliance Is a Program, Not a Project

  • 1 day ago
  • 6 min read

A lot of healthcare organizations still treat compliance like a milestone. Finish the assessment, close the gaps, update the policies, train the team, pass the review, and move on. That may satisfy a project plan, but it does not satisfy reality. In healthcare, compliance is not something you complete; it is something you sustain. The stakes make that clear: for the fourteenth year running, healthcare carries the costliest data breaches of any industry, averaging close to 10 million dollars per incident according to IBM research. Healthcare IT compliance is not a project. It is a program.


HIPAA is not a checklist you work through once a year. It is an operating posture you hold every day, across systems, people, vendors, workflows, access controls, and leadership decisions. That distinction matters because the risk is not static. Users change, devices change, vendors change, threats change, and workflows shift constantly. If compliance is being managed like a one time initiative, it is already falling behind. This is exactly where managed IT services at BetterWorld Technology turn a static document set into a living operating model.


Healthcare IT leaders reviewing a hospital security and compliance dashboard in a modern operations center.

Why a Project Mindset Undermines Healthcare IT Compliance

When leadership treats compliance as a project, the organization usually focuses on visible artifacts: policies, assessments, attestations, remediation lists, and deadlines. Those things matter, but they are outputs, not the operating model. An organization can hold all the right documents and still carry real exposure underneath: shared credentials, inconsistent device controls, weak onboarding and offboarding, gaps in vendor oversight, incomplete audit visibility, and unclear escalation paths during an incident. All of that can live inside a technically compliant environment.


The Change Healthcare attack of 2024 shows how wide that gap can run. Attackers entered through a server that did not have multifactor authentication enabled, used stolen credentials, moved through the environment for days, and ultimately exposed the protected health information of roughly 190 million people, with an outage that disrupted claims and provider revenue cycles for weeks, as documented in the HHS incident guidance. The danger of the project mindset is that it asks, "Did we finish the work?" when the better question is, "Can we hold this standard every day?" That is why vCISO and integrated risk services at BetterWorld Technology exist: to make the environment defensible, not merely documented.


HIPAA Is an Operating Discipline, Not a Paperwork Exercise

HIPAA gets misunderstood in two directions. Some organizations oversimplify it into a documentation exercise, while others treat it as so overwhelming that they never operationalize it properly. Both approaches create risk. The reality is more practical, because HIPAA is about safeguarding protected health information through administrative, physical, and technical discipline. That means access control, auditability, data handling, device management, incident readiness, workforce training, vendor oversight, and consistency in execution. It is not glamorous work; it is operational work.


Healthcare compliance therefore lives or dies in the daily habits of the organization. If user access is not reviewed regularly, compliance weakens. If endpoint management is inconsistent, compliance weakens. If backup and recovery are assumed rather than tested, compliance weakens. A useful way to make this concrete is to map daily practice to a recognized standard. The HHS 405(d) Health Industry Cybersecurity Practices translate the broader NIST Cybersecurity Framework into healthcare specific controls, which gives leaders a shared language for measuring whether the environment is actually defensible. Building that foundation well also depends on disciplined cybersecurity operations at BetterWorld Technology and dependable cloud services.


The Real Risk Lives in the Seams Between Teams

Most healthcare organizations do not fail compliance because they do not care. They fail in the seams. One team assumes another owns vendor risk. Operations assumes IT is watching access. IT assumes the application owner is governing usage. Leadership assumes the managed services partner has it handled, and the partner assumes the client has internal controls around workflow and approvals. That is where the gaps form, and the data bears it out: business associates were involved in a large share of the breaches in the federal OCR breach portal, and the most common finding in OCR enforcement remains the absence of a documented, current risk analysis.


Healthcare environments are especially vulnerable to this because they are busy by design. Administrators balance patient service, staffing, scheduling, billing, and regulatory demands while technology spans clinical systems, business systems, mobile workflows, remote access, and third party platforms. In that kind of environment, informal control models break down fast, which is why hacking incidents now drive the overwhelming majority of the individuals affected by healthcare breaches. Strong organizations do not rely on good intentions; they build systems for continuity, the same discipline reflected in the governance and process work at Working Excellence.


Compliance Programs Require Cadence, Not Just Controls

This is where leaders can make the biggest improvement, because a real compliance program is not just a set of controls. It is a cadence. Regular access reviews, regular vendor reviews, regular policy updates, regular user training, regular audit log review, regular backup validation, regular incident exercises, and regular governance conversations between technical and operational leaders. That cadence is what turns compliance into posture.


Without it, even strong controls degrade over time. Systems evolve, exceptions accumulate, people create workarounds, new vendors are added, and users keep access they no longer need. Documentation stops reflecting the environment, and the organization ends up with what is best described as compliance drift: it still believes it is compliant, but the operating reality has moved on. Treating compliance as continuous engineering, much like the digital engineering strategy at Working Excellence, is what keeps the control model aligned with a moving environment.


Governance Has to Survive Turnover and Growth

One of the hardest realities in healthcare is that the environment rarely stands still. Practices grow, systems change, staffing shifts, mergers happen, new locations open, roles evolve, and leadership turns over. If the compliance model depends too heavily on a few individuals keeping everything in their heads, it will eventually break. Governance has to outlast individual memory. A durable program documents ownership, standards, workflows, and decision rights in a way that survives turnover, which makes onboarding cleaner, audits easier, and incidents less chaotic. A Principles First Thinking Framework helps here, because clear principles align leadership on what matters and keep the organization from treating compliance like a yearly scramble.


For administrators and CIOs, the executive actions follow directly. First, name an owner for every domain of the program, from access reviews to vendor oversight, so accountability does not live in the seams. Second, install a published review cadence and hold to it. Third, govern business associates with the same rigor you apply internally. Fourth, align the program to the NIST and 405(d) standards so progress is measurable rather than anecdotal. Fifth, give leadership real visibility into the state of the environment, not just the document set. This discipline becomes even more important as automation and AI move closer to clinical and business operations, because responsible data governance and AI risk management at BetterWorld Technology cannot sit on top of a weak foundation. You cannot innovate responsibly on top of drift.


What Holds Up Over Time

The healthcare organizations that handle compliance well are usually not the loudest about it. They are the most disciplined. They build programs rather than bursts of activity, they connect policy to operations, they review controls continuously, and they align vendors, systems, and people around a clear standard. They understand that compliance is not there to slow the business down; it is there to make the environment more trustworthy, more resilient, and more manageable as complexity grows. We go slow in order to go fast, and in healthcare that principle protects patients as much as it protects the balance sheet, a theme explored further in the leadership commentary at JamesFKenefick.com.


So the better question is not "Are we compliant?" That question is too static. The better question is, "Are we operating in a way that keeps us compliant as the environment changes?" Healthcare IT compliance is not a project. It is a program, and the organizations that treat it that way will be in a far stronger position to protect patients, support operations, and move forward with confidence. For more on how this operating model comes together, see BetterWorld Technology, the strategy perspective at Working Excellence, and the executive writing at JamesFKenefick.com.

Comments


bottom of page