A great article on mature security programs from one of the leading healthcare CIOs, John D. Halamka.
A mature program uses a framework such as NIST 800 to serve as rubric for stakeholder analysis of risk. Such a framework ensures that stakeholders consider all the elements of risk and not just the ones that are top of mind for experts in the room. Risks can be physical security, mobile devices, human factors including staffing levels that concentrate expertise in too few people, configuration policies, and timeliness of audit log reviews. In the past, many CIOs in healthcare have been given enough security staff to support operations but not enough staff to create the processes, policies, and documentation that reflect a mature, optimized program.
via Life as a Healthcare CIO