When I first was introduced to the infosec subculture in the1990s, there seemed to be very few of us in healthcare provider organizations with official security roles. And we were mostly "stuckees" who just fell into the job. (You know, someone in charge pointed at you and said, "You're now our security person.") You'd think patient privacy, and, thus, security, would be embraced, but it wasn't so. Doctors and nurses swore they already were privacy sensitive. And, after all, we weren't banks holding money to be stolen… Who'd want to steal our databases with a few million boring medical records?