This presentation shares results from a national study of CIOs and CISOs in US healthcare to point out the importance of a balanced information assurance strategy composed of technology, policy, and people. The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 with security, and privacy requirements. Administrative safeguards of HIPAA require policies and management of people. Information assurance requires three controls: technology, policy, and people. The National Institute of Standards and Technology (NIST) Document 800-66, which provides guidance for HIPAA, does not address people controls and does not map well to an accepted information assurance model. Data on breaches in healthcare, show 80-90% of breaches are caused by insiders. This study shows that people management within the organization continue to be important for an enterprise security strategy.