[watertom]

Cyber security standards are in place to make the process easier to understand for the non-technical executives, who approve the budgets.

Without the standards the executives don’t know who they should believe, and invariably they believe the guy who sounds and acts like themselves, which means he knows as much about cyber security as the executives.

If you know what you are doing regarding cyber security, AND you are doing all the right things, HITRUST compliance is a cinch.

If you don’t know what you are doing regarding cyber security, HITRUST at least gives you a fighting chance. But then that’s the rub, if you don’t know what you are doing why are you running cyber security.

[jtdev]

And how does this seemingly absurd exercise make hospital information systems more secure? These non-technical executives are also probably not aware of the intricacies of a knee replacements surgery... and shouldn’t be... these execs should be hiring and trusting skilled practitioners both in the operating room and in the information security dept. NOT injecting their ignorance of these disciplines into the process of ensuring good patient outcomes or security of patient information.

[lstroud]

I think they are intended to be helpful, but they are adopted as CYA that have the side benefit of improving security.

[TeMPOraL]

> that have the side benefit of improving security

Sometimes. Other times they have the side effect of worsening security, as line employees have to deal with bullshit "security" rules and invent undocumented, untracked workarounds just to be able to do their jobs at all.