Implementing an IT governance program in a health care setting is a continuous process that must work with the constraints provided by the government, current technology, and patients. The health care industry is known for adopting new technology slower than most industries. As new technological advances as applied to the health care industry, there will most likely be new additions to the current policy that restricts its use. When implementing an IT governance program, health care organizations must always determine how they can implement a program while adhering to HIPAA regulations. In this paper, I will discuss how the history of the health care industry lead to the regulations imposed in the present and implementing an IT governance program to mitigate the risks associated with IT projects.


The health care industry is a prime example of an industry that holds high risk information. If a hospital leaks patient information, the patients are at risk for more than just their current health issues. Health care organizations often harbor information that is very personal such as social security numbers, home address, and family members. All of these items are key to identity theft and can ruin someone’s good name if it falls into the wrong hands. The health care industry has come a long way from paper-based patient files. With the use of electronic health records, health care providers can view hundreds of patient records on a device that looks like one physical file. Unfortunately with new technology in place, there are also new ways to steal this information.

History of IT in the Health Care Industry

The health care industry is an industry that adopts technology at a slower rate than other industries. At the beginning of the health care industry, the science and procedures for health care services was not as efficient as today. This was to how health care providers were reimbursed. Since there were not many restrictions in the reimbursement programs, health care providers were free to provide services and administer tests without regard to program limitations. This way of providing service created the need to send claims for reimbursement as quickly as possible. At this time the health care industry had a demand for administrative tasks like accounting and insurance coverage instead of clinical tasks.

We start to see a different picture in the 80s. At this point in time, the cost of health care begins to rise. Because of the habits in providing service in the years prior, there is now a need to change how service providers are reimbursed. To reduce the cost of health care, insurance companies began to restructure how providers are reimbursed. Now that service providers must work within constraints, service providers are forced to innovate and become more efficient in their services. Because of the invention of the personal computer, vendors started to create applications for health care providers. These applications made it much easier for service providers to track patient history, reduce the amount of rework, have reminders related to each patient, see information in real time, and send claims in a timely manner.

Since the cost of personal computers was falling, it was much easier for more service providers to purchase them. The on going trend in the 90s was prevention. Prevention of health related issues changed the way service providers interact with patients. The health care industry used the Internet to help prevent health care related issues. Service providers will use email as a form of communication in addition to phone calls. The combination of the reduction in cost of personal computers and the rise of the Internet, the health care industry formed a new service known as telemedicine (Wagner, Lee, & Glaser, 2009).

Threats to Patient Information

The use of the personal computer and applications geared toward health care services lead to electronic medical records (EMR) and electronic protected health information (ePHI). The use of EMR and ePHI play a major role in organizing and preserving patient information. Protecting the privacy of this information is a health care provider’s legal obligation. Since more patient information is electronic, it is a necessity to find ways to protect this sensitive information from external and internal threats.

External threats refer to people such as hackers and competitors. Internal threats can include medical assistants, janitors, information technology (IT) personnel, or patients. As IT systems advance, so do the threats to these systems. The more popular the application the health care provider is using, the greater the risk of external threats. For example, there are three major operating systems in the market today: Microsoft Windows, Mac OS, and Linux. Of these three operating systems, Microsoft Windows dominates the market and is also prone to the most viruses. Mac OS and Linux can also be compromised, but since the average person does not use these operating systems, they have a lower risk of viruses. Without the proper tools and methods to detect threats to patient information, the goal of protecting patient information is near impossible. To help health care providers detect intrusions or threats to patient information, Jody Barnes urges health care providers to have an intrusion detection system (IDS). An IDS is used to monitor a system and notify the proper authority figures if an intrusion has occurred. A key note is that an IDS does not prevent an intrusion. The sole purpose of an IDS is to detect an intrusion (Barnes, 2006).

When protecting EMR or ePHI, most people automatically assume that the threats are external. Although it is important to protect patient information from external threats, health care providers often neglect to protect patient information from other employees. The only way to truly protect patient information is to consider threats from all possible directions (Knitz, 2005). In order to adequately protect EMR or ePHI health care providers have the responsibility of ensuring that information is confidential, must maintain the integrity and availability of such information, safeguard against any security threats to data, protect patient information from unauthorized use and disclosure, and be sure that all employees follow the Security Rule (Hoffman & Podurski, 2006). The Security Rule is a section of the Health Insurance Portability and Accountability Act (HIPAA) that specifically focuses on the requirements of protecting electronic patient information. An employee can threaten EMR or ePHI if they forget to log off of their workstation computer. Failing to log off of their workstation computer poses as a threat because anyone, including unauthorized employees and non-employees, can have access to the workstation computer can review the information that is displayed on the monitor. According to HIPAA regulations, this scenario is considered a breach in security.

Not all security breaches are intentional. Examples of unintentional security breaches include accidentally sending messages to a patient with a similar name, patients taking a peek at another patient’s information because their records are not properly stored by an employee, or forgetting to log off of a workstation computer (Knitz,2005). Intentional security breaches are a more serious matter. These threats can include accessing information for one’s own benefit instead of the benefit of the patient. An example of an intentional security breach is when an employee access patient information and searches for social security numbers to get a loan on a home. Another example of intentional security breaches is when someone gains access to a workstation and uses a portable USB hard disk so he or she can make unauthorized copies of patient information. Other threats to patient information include former employees. Research conducted by Slaymaker proves that employees that were laid off often pose a threat to patient information (Slaymaker, Politou, Power & Simpson, 2004).

Using HIPAA to Mitigate IT Risks

Richard Gartee, author of the textbook Health Information Technology and Management, mentions that the HIPAA security standards are composed into three sections: administrative, physical, and technical safeguards. These safeguards can aid health care providers create an IT governance program that is HIPAA compliant and reduce the risk of security breaches to patient information. Administrative safeguards are a set of policies and procedures that meet the security standards that are required to adequately protect physical and electronic patient health information. Physical safeguards are devices used to protect PHI and ePHI from various hazards and unauthorized access. An example of a physical safeguard is storing data backups in a vault that is equipped with an breakable lock and is fire proof (Gartee, 2011).

Hoffman believes that HIPAA’s outline is merely an outline that health care organizations must elaborate on. To improve on HIPAA’s recommendations on administrative safeguards, Hoffman suggests the following:

  1. Select system and application software products based on proven security track records.
  2. Configure installed software so there are few points of entry.
  3. Allow security patches and updates from vendors to be automatically installed.
  4. Setup hardware and software firewalls, anti-virus software, intrusion detection systems, and system monitoring software.
  5. Review audit logs.
  6. Disable certain software only when necessary.

Password protection is a hot topic when it comes to computer security. The biggest threat to creating passwords is that there is no HIPAA policy for creating passwords.

Often times, users create passwords that are easy for them to remember instead of creating passwords that are difficult to guess. Hoffman also defined a set of criteria for more secure passwords for health care organizations to follow:

  1. Define how users gain access to information and obtain user names and passwords.
  2. Set standards for password length, composition, and degree of randomness.
  3. Passwords should have an expiration date and require a change before allowing access.
  4. Secure password storage system.
  5. Train users to properly create passwords and how to handle passwords.
  6. Have a policy in place in the event that passwords need to be revoked.

As Hoffman was studying the physical safeguards proposed by HIPAA, he noticed that there are several key items that are not covered. Assuming that the HIPAA Security Rule has not changed, he believes that physical safeguards should also cover the following:

  1. Health care organizations should describe the nature of appropriate access control and validation procedures.
  2. Discuss relevant technologies such as proximity card access systems and biometric systems.
  3. Explain the risks associated with particular roles to the type of validation required.
  4. Explain the relevance of facility access controls to mobile devices such as laptop computers and hand held devices such as smart phones and personal digital assistants.
  5. Cite any sources addressing these issues.

According to Hoffman, at the time of his research, the HIPAA Security Rule does not offer detailed information in regards to technical safeguards. A large part of the technical safeguards is related to the encryption of patient information. The HIPAA Security Rule clearly states that a mechanism that encrypts and decrypts patient information is required, but it does not state what type of encryption to use. Another issue with the technical safeguards has to do with using wireless networks. The HIPAA Security Rule has clear guidelines for communication networks, but it is unclear whether or not the same guidelines apply to wireless communications or networking.

Eventhough Hoffman points out the short comings of the contents of the HIPPA Security Rule, HIPAA continues to provide a strong launching point for health care providers to follow when starting to form an IT governance program that helps mitigate IT related risks and is HIPAA compliant. Health care organizations and providers must remember that performing a few safeguards mandated by HIPAA does not mean HIPAA compliance. All safeguards contained in the HIPAA literature must be followed to achieve compliance.

Barriers to IT Investments

Although there are many advancements in the world today, the health care industry has not adopted these technologies as fast as other industries. Porter and Teisberg believe that financial incentives are a necessary tool to help health care organizations invest in IT. Financial incentives should be awarded to health care organizations that compete on a level that promotes innovation and value creation. At the time of their research, Porter and Teisberg believe that health care organizations compete in a zero-sum competition. A zero-sum competition is an economic theory that describes a situation when one party gains a certain amount the other party will lose the same amount (Porter & Teisberg, 2004). They believe that the health care industry is trapped in a zero-sum competition because the costs are shifted between stakeholders instead of being focused on lowering costs. In order to compete at a level that promotes innovation and value creation, the health care industry will need participants to compete by focusing on prevention, diagnosis, and treatment. In the present, the health care industry competes on health care plans for new subscribers, health care plan networks, offering more services without specialization, and payment for services. This kind of competition is believed to raise the cost of health care and provide less innovation and value creation; therefore, giving health care organizations and providers less opportunities to use profits to take advantage of IT.

Along with the issues raised by Porter and Teisberg, Regina Herzlinger believes there are more forces that hinder the use of IT in the health care industry. Porter and Teisbergs findings of the health care industry point out that the health care industry have difficulties investing in IT because of financial constraints. Herzlinger argues that stakeholders, current policy, and technology also hinder the use of IT. Stakeholders in the health care industry such as insurance companies can stop innovation because insurance companies can control what treatments will be allowed and paid for. Current policies have a strong effect on the health care industry because they may offer incentives for certain market trends. For instance, if the hot topic at the time is finding a cure for the common cold, incentives will only be available for health care organizations that are working on this cure. Technology itself can also slow down the use of IT because of how fast technology evolves. If a health care organization invests in a new technology too late, then the organization may not be able to reap the benefits and gain a competitive advantage that it is supposed to. Due to the speed of evolution, technology is a risky investment for the health care industry because it is unknown when a technology will be obsolete how long a technology will be supported after it is deemed obsolete. The initial investment for any kind of IT governance program or infrastructure is a burden that health care organizations carry, implementation of such program is complex, and the return on investment is unknown.

The Need for IT Governance in Health Care

IT governance is a reflection of an organization’s business objectives and performance goals. The trend for IT governance across most industries is that IT governance can enable organizations to improve operations which leads to a reduction in costs (Weill & Woodham, 2002). More related to the health care industry, IT governance is a business enabler that cannot be ignored. With proper IT governance, health care providers can effectively safeguard their information from security breaches and comply with HIPAA regulations. IT governance may carry an initial cost that health care providers may not want to make, but this cost is far less than the potential risks associated with not implementing IT governance. Because of HIPAA regulations that all health care providers must follow, IT governance is now a necessity. Proper IT governance in the health care industry plays a major role in the reputation of a health care provider. IT governance can determine the reputational liability and legal liability of a health care provider (Ulsch & Bamberger, 2006).

One of the most noticeable impacts to a health care provider’s reputation are information security breaches. Security breaches are related to any event that compromises the security and privacy of patient information. In 2012, Kaiser, in collaboration with The Washington Post, released an article regarding theft of patient information. The article is titled As “Patients’ Records Go Digital, Theft And Hacking Problems Grow” and it summarizes key security breaches. In one event, a medical technician at Howard University Hospital was sued because she abused her authorized access to patient information by selling the information for over 17 months. Another highlighted event from the article involves a stolen laptop. A contractor for Howard University Hospital downloaded patient files onto a personal laptop. Some time during the same day, the laptop was stolen from the contractor’s car. Because of this event, the hospital had to notify 34,000 patients that their data has been compromised (Schultz, 2012).

The situations described in the article is a good representation of why proper IT governance is required in the health care industry and the effects on reputation. Because of these mistakes, Howard University Hospital must take time to create and initiate new policies and procedures. On top of this task, they must keep patients at ease and monitor for the use of the stolen information. Not only will Howard University Hospital need to implement new security practices, but they are also liable for any damages each patient may suffer from these incidents. Because there are multiple security breaches at the same hospital, Howard University Hospital may lose current patients and miss the opportunity to attract new patients. IT governance can help health care providers prevent these kind of problems because it can guide them make IT decisions that deliver value, enable the business, and regulate IT related risks. The first step to implementing an effective IT governance program and making sure that IT decisions deliver value is to foster an environment that allows alignment between the health care providers goals and IT activities. The greatest risk to implementing an IT governance program is that the IT related activities clash with the overall business goals. Although health care is thought of as a different industry, it is still a business at heart. The business units within the health care organization need to cooperate with IT personnel to ensure that the IT related decisions actually match what the organization wants to accomplish. It is not enough for business units to tell the IT department that they want a system to organize patient information. Business units will need to more specific and tell the IT department that they want a system to organize patient information that adheres to ICD-10, HL7, and DICOM standards and complies with HIPAA. The IT department must also actively communicate with the business units instead of agreeing to make things happen. They need to educate the business units on the risks, limitations, and requirements of such activities.

Due to the nature of the industry, IT governance in the health care industry must comply with federal regulations for security and privacy, business process management, and constant changes to reimbursement systems (Lutchen & Collins, 2005). Because of these variables, IT governance in the health care industry is a continuous process and must be able to adapt to change. Fortunately for health care providers and organizations, HIPAA has sections in their policies that outlines in detail what needs to be done to mitigate risks. In essence, HIPAA has provided a road map for health care organizations to follow to implement an IT governance program that is compliant. What the health care organization needs to do is determine how to follow the outline provided by HIPAA. Although HIPAA tells health care organizations what to do to mitigate risks, they do not explicitly tell health care organizations how. For example, a safeguard that the HIPAA Security Rule mentions is that computers should automatically log itself out after a certain amount of time. The HIPAA Security Rule will tell providers that this needs to be done, but it does not tell health care organizations how to do this. Since the HIPAA regulations are structured in this way, health care providers and organizations have the flexibility to implement what they feel is appropriate as long as it complies with HIPAA.

Technology is changing every minute. There may be a new invention, threat, opportunity, knowledge, business process, or regulation that forces people to change. The health care industry must be ready for these change because in change in any of these variables can change how the health care system will work. We have experienced this first hand. In the past, if we wanted to see what is in our medical records, we would need to visit our doctor’s office. Today, we have the option of viewing our information online. Innovations like this will always carry a risk and the health care industry will need to find solutions to provide these services while reducing the risk of security breaches.


Implementing IT governance in a health care setting will also have its challenges like any other industry. Such challenges include finding relevant business metrics and the act of aligning business goals with IT projects. Without the correct metrics to measure, the health care organization will have more difficulties determining if they are creating more value and may lead to increased operational costs. Aligning business goals with the appropriate IT projects is an issue because it also has a direct relation to the value that is created. Venturing into a project that partially meets the business goals forces the organization to either start another project, perform rework, change the budget, or change the scope.

There are three IT governance structures that are normally seen in the health care industry: centralized IT governance, decentralized IT governance, and Federal IT governance. Of these three structures, federal IT governance stands out as the ideal structure. In this kind of structure, IT and business units assume responsibility for IT related decisions. A federal IT governance structure represents a structure that is more fluid than the other structures. Wilkin and Riddett believe that the federal IT governance structure is more fluid because it promotes the use of cross-functional team to make decisions.

According to Wilkin and Riddett, to implement IT governance in a health care setting, the health care organization should create an IT governance program that is based on the principles of the PMBOK but adheres to the requirements of HIPAA. Following principles outlined in the PMBOK will allow health care organizations to develop a standard for managing their IT projects and have consistency throughout every IT related projects.

My recommendation for health care organizations to start implementing an IT governance program is that they need to first establish a team to lead the organization toward the idea of implementing IT governance. With any kind of disruptive change, organizations will need the support of C-level executives. The team that the organization creates to lead this change should include the CEO, CIO, CRO (chief risk officer), CLO (chief legal officer), CFO, CHO (chief human resources officer), CAO (chief audit officer), and CMO (Ulsch & Bamberger, 2006). After establishing a team that can lead and support the implementation of an IT governance program, the next step is to evaluate the current state of the organization’s corporate governance. The health care organization should fully understand how their business needs to operate. Luckily for the health care industry, HIPAA provides all guidelines that the health care organizations need to follow. In addition to HIPAA regulations, health care organizations are also subject to other federal regulations and state regulations that will determine whether or not they will be able to operate. For example, a health care organization in Florida will need to adhere to HIPAA regulations, but may not have to follow the same state regulations as California. In addition to external factors, the health care organization should study how decisions are made internally and establish proper authoritative roles.

Next, health care organizations should follow the processes and procedures outlined in the PMBOK. I believe that the pairing between HIPAA and the PMBOK will help health care providers develop an ideal IT governance program. As mentioned earlier, this combination will help develop structure and consistency between IT projects. Ideally, a health care organization should have a project management office in place to control what projects are supported. For any kind of framework or program to be successful, active participation and collaboration between stakeholders is necessary.

Generally, the stakeholders in a health care organization include the business owner, doctors and staff, government, insurance companies, employers, and patients. Without proper communication between these areas, the health care organization cannot create the appropriate business goals to follow or understand the requirements and constraints of each stakeholder.


The evolution of IT has made it more attainable for health care organizations to follow HIPAA regulations. Through the use of IT, the health care industry is also able to establish standards such as HL7 and DICOM that make it easier to share patient information with different offices. It is because of these advancements in technology that the health care industry is introduced to new threats to patient information. In the past, health care had to protect physical patient records using a file cabinet. If patients went to multiple health care providers, their information is scattered across multiple locations.

Today we face a similar issue, but electronic records are also included. Although the technology and threats have changed, the overall goal is still the same. The security, integrity and privacy of patient information is still the top priority. With an IT governance program in place, health care organizations can better manage the security goals outlined by HIPAA. IT governance will help health care organizations establish policies that lead health care organizations toward practices that maintain alignment with business goals and create value. The value that health care organizations can achieve through IT governance will not be seen overnight. Implementing IT governance is a process that needs to be revised often to keep up with the changes in the health care industry.


Barnes, J. (2006). Intrusion detection systems in hospitals. Unpublished manuscript, East Carolina University, Greenville, North Carolina. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=

Herzlinger, R. E. (2006). Why innovation in health care is so hard. Harvard Business Review, 1-11.

Hoffman, S., & Podgurski, A. (2006). Securing the hipaa security rule. Legal Studies, Case Western Reserve University, Cleveland, Ohio. Retrieved from http://ssrn.com/abstract=953670

Knitz, M. (2005). Hipaa compliance and electronic medical records: are both possible?. Bowie State University, Maryland, Europe.

Lutchen, M., & Collins, A. (2005). IT governance in a health care setting: Reinventing the health care industry. Journal of Health Care Compliance, 7(6), 27-30. Retrieved from http://search.proquest.com/docview/227910249?Accountid=25283

Porter, M. E., & Teisberg, E. O. (2004). Redefining competition in health care. Harvard Business Review, 1-13.

Schultz, D. (2012, June 03). As patients’ records go digital, theft and hacking problems grow. Kaiser Health News. Retrieved from http://www.kaiserhealthnews.org/Stories/2012/June/04/electronic-health-records-theft-hacking.aspx

Slaymaker, M., Politou, E., Power, D., & Simpson, A. (2004). e-health security issues: the e-diamond perspective. Unpublished manuscript, University of Oxford, Retrieved from http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

Ulsch, M. & Bamberger, J. (2006, March). Sound it governance requires breadth & depth. Financial Executive,

Wagner, K., Lee, F., & Glaser, J. (2009). Health care information systems. (2nd ed.). San Francisco, CA: Jossey-Bass.

Weill, P., & Woodham, R. (2002). Don’t just lead, govern: Implementing effective IT governance. Rochester: doi:http://dx.doi.org/10.2139/ssrn.317319

Wilkin, C. L., & Riddett, J. (2009). IT governance challenges in a large not-for-profit healthcare organization: The role of intranets. Electronic Commerce Research, 9(4), 351-374. doi:http://dx.doi.org/10.1007/s10660-009-9038-0

*IMPORTANT NOTE CONCERNING PLAGIARISM: Please do not plagiarize this case study. This original work was produced by Dennis Nguyen and has also been submitted to turnitin.com. If you use information from this case study, remember to reference Dennis Nguyen. If you have more questions, you are welcome to contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *