Risk: Not having a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact
Explanation: Not having a senior level person who manages your security team can be jeopardizing the safety of your operations. Although security implementation and maintenance is a team effort, but having a capable person who leads that team is equally important. Moreover, the head of your security will act as a liaison between the security department and the policy makers. If that link is missing, you might not be able to influence the decisions of your higher ups when it comes to defining policies and procedures.
Primary Mitigation: Identify the security official who is responsible for heading the security team. Define her role as being an individual who actively takes part in policy making. Finally, she should be responsible for the implementation of the policies for strengthening ePHI security.
Success Criteria: Having a senior security officer who actually influences policy making, reviews documentation, runs scans, establishes a secure infrastructure, and strengthens ePHI security as a result.